CVE-2025-12725 is a vulnerability identified in the WebGPU implementation of Google Chrome on Android devices prior to version 142.0.7444.137. The flaw is an out of bounds read that can be manipulated by a remote attacker through a specially crafted HTML page to cause an out of bounds memory write. WebGPU is a web standard designed to provide high-performance graphics and computation capabilities in browsers, and this vulnerability arises from improper bounds checking within this component. The out of bounds write can lead to arbitrary code execution, allowing attackers to compromise the confidentiality, integrity, and availability of the device. The attack vector is remote and requires no privileges or prior authentication, but it does require user interaction, such as visiting a malicious website. The vulnerability has been assigned a CVSS v3.1 base score of 8.8, reflecting its high severity with network attack vector, low attack complexity, no privileges required, user interaction needed, and high impact on confidentiality, integrity, and availability. While no exploits have been reported in the wild yet, the potential for exploitation is significant given the widespread use of Chrome on Android devices. The vulnerability was publicly disclosed on November 10, 2025, and Google has released a patched version (142.0.7444.137) to address the issue. Organizations relying on Chrome on Android devices should prioritize patching to mitigate risk.

The vulnerability poses a critical risk to European organizations using Google Chrome on Android devices. Successful exploitation can lead to arbitrary code execution, enabling attackers to steal sensitive information, manipulate data, or disrupt device functionality. This can compromise corporate data confidentiality, integrity, and availability, potentially leading to data breaches, operational disruptions, and reputational damage. Mobile devices are often used for accessing corporate resources, making this vulnerability a vector for lateral movement or initial compromise. The requirement for user interaction (visiting a malicious webpage) means phishing or drive-by download attacks could be effective. Given the high adoption of Android devices in Europe, especially in sectors with mobile workforces such as finance, healthcare, and government, the impact could be widespread. Additionally, the vulnerability could be leveraged in targeted attacks against high-value European entities or critical infrastructure that rely on mobile Chrome browsers.

1. Immediate update of Google Chrome on all Android devices to version 142.0.7444.137 or later to apply the security patch. 2. Implement enterprise mobile device management (MDM) policies to enforce timely browser updates and restrict installation of untrusted applications. 3. Deploy web filtering solutions to block access to known malicious websites and suspicious content that could host exploit pages. 4. Educate users on the risks of clicking unknown links or visiting untrusted websites, emphasizing the need for caution with unsolicited communications. 5. Monitor network traffic for unusual patterns that may indicate exploitation attempts, such as anomalous outbound connections from mobile devices. 6. Consider disabling or restricting WebGPU usage via browser policies if feasible, to reduce the attack surface until patches are fully deployed. 7. Maintain an incident response plan that includes mobile device compromise scenarios to quickly contain and remediate potential breaches.