CVE-2025-34091 is a high-severity vulnerability affecting Google Chrome version 127 that leverages a padding oracle attack against the AppBound cookie encryption mechanism. The vulnerability arises from the way Chrome encrypts cookies using a layered encryption approach involving Windows DPAPI (Data Protection API). Specifically, Chrome’s AppBound encryption uses SYSTEM-DPAPI to encrypt blobs, which are then further encrypted with user-DPAPI. When malformed ciphertexts are sent to the Chrome elevation service, Windows logs detailed decryption failure events distinguishing between padding errors and MAC (Message Authentication Code) errors. This verbose error feedback creates an observable discrepancy (CWE-203) that a local attacker can exploit to perform a padding oracle attack. By repeatedly sending malformed ciphertexts and analyzing Windows Event Logs, the attacker can partially decrypt the SYSTEM-DPAPI layer, eventually recovering the user-DPAPI encrypted cookie key. Since the attacker operates in their own user context, they can trivially decrypt the recovered cookie key, effectively stealing cookies that should be protected by AppBound encryption. This undermines the core security guarantees of AppBound encryption, enabling low-privileged local attackers to steal sensitive cookie data. The vulnerability is rooted in cryptographic misuse combined with Windows DPAPI’s error reporting behavior. While confirmed in Google Chrome, other Chromium-based browsers using similar COM-based encryption mechanisms may also be vulnerable. The attack requires local access and elevated privileges to interact with the Chrome elevation service but does not require user interaction. The CVSS 4.0 score is 8.8 (high), reflecting the significant confidentiality impact and complexity of exploitation. No known exploits are currently in the wild, but the vulnerability’s nature makes it a serious concern for environments relying on Chrome’s AppBound encryption on Windows platforms.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive session cookies and authentication tokens stored by Google Chrome. Since cookies often contain session identifiers and authentication credentials, their theft can lead to unauthorized access to corporate web applications, internal portals, and cloud services. The attack requires local access, so the primary risk vector is through compromised or insider machines within the organization. Given the widespread use of Google Chrome in European enterprises and the reliance on Windows operating systems, this vulnerability could facilitate lateral movement and privilege escalation in targeted attacks. The ability to bypass AppBound encryption undermines endpoint security controls designed to protect sensitive data at rest. This is particularly critical for sectors with stringent data protection requirements such as finance, healthcare, and government agencies in Europe. Additionally, the verbose error logging behavior in Windows Event Logs may expose sensitive cryptographic failure information, which could be leveraged in further attacks. Although no public exploits are known yet, the high CVSS score and detailed technical disclosure suggest that threat actors may develop exploits, increasing the urgency for European organizations to address this vulnerability promptly.

1. Apply official patches from Google as soon as they become available to address the padding oracle vulnerability in Chrome’s AppBound encryption. 2. Until patches are released, restrict local access to systems running vulnerable Chrome versions by enforcing strict endpoint security policies, including least privilege principles and strong access controls. 3. Monitor Windows Event Logs for unusual decryption failure patterns that could indicate exploitation attempts targeting the Chrome elevation service. 4. Disable or limit the use of AppBound encryption if feasible, or configure Chrome to avoid using SYSTEM-DPAPI encryption layers that expose verbose error feedback. 5. Employ endpoint detection and response (EDR) solutions capable of detecting anomalous local processes interacting with Chrome’s elevation service or sending malformed ciphertexts. 6. Educate users and administrators about the risks of local privilege escalation and the importance of timely software updates. 7. Consider network segmentation and application whitelisting to reduce the risk of local attackers gaining footholds on critical systems. 8. Review and harden Windows DPAPI logging configurations to minimize verbose error disclosures without losing essential audit capabilities.