CVE-2025-3067 is a vulnerability identified in the Custom Tabs implementation of Google Chrome on Android devices prior to version 135.0.7049.52. Custom Tabs are a feature that allows apps to open web content within a Chrome-powered interface, providing a seamless user experience. The vulnerability arises from an inappropriate implementation that can be exploited by a remote attacker who persuades a user to perform specific UI gestures within a maliciously crafted app. This user interaction triggers a privilege escalation, allowing the attacker to gain higher privileges than intended, potentially compromising the device's security. The CVSS v3.1 score of 8.8 reflects the high severity, with attack vector being network-based (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is unchanged (S:U), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). Although no known exploits are currently reported in the wild, the vulnerability represents a significant risk due to the widespread use of Chrome on Android and the potential for privilege escalation through social engineering and crafted apps. The vulnerability was publicly disclosed on April 2, 2025, and users are advised to update to the patched version 135.0.7049.52 or later to remediate the issue.

The vulnerability allows remote attackers to escalate privileges on affected Android devices by exploiting the Custom Tabs feature in Chrome. This can lead to complete compromise of the device, including unauthorized access to sensitive data, modification or deletion of information, and disruption of device functionality. Organizations relying on Android devices for sensitive communications or operations could face data breaches, loss of intellectual property, or operational downtime. The requirement for user interaction means social engineering tactics could be employed, increasing the likelihood of successful exploitation. Given Chrome's dominant market share on Android, the scope of affected systems is extensive, potentially impacting millions of users globally. The high severity and ease of exploitation without prior privileges make this a critical concern for enterprise mobile security and personal device safety.

To mitigate this vulnerability, organizations and users should immediately update Google Chrome on Android devices to version 135.0.7049.52 or later, where the issue is patched. Beyond patching, organizations should implement mobile device management (MDM) solutions to enforce timely updates and restrict installation of untrusted or suspicious apps that could exploit this vulnerability. User education is critical to reduce the risk of social engineering attacks that require specific UI gestures; training should emphasize caution when interacting with unknown apps or prompts. Additionally, monitoring for unusual app behaviors and privilege escalations can help detect exploitation attempts. Developers should review and harden the implementation of Custom Tabs and similar features to prevent UI-based privilege escalation. Finally, applying the principle of least privilege on mobile devices can limit the impact of any successful exploit.