A high-severity vulnerability has been identified in a core video processing library used by Google Chrome and other products. A remote attacker could exploit this flaw by tricking a user into visiting a malicious webpage with a specially crafted video, potentially allowing the attacker to execute arbitrary code on the user's computer. This could lead to a full system compromise, data theft, or the installation of further malware.

The vulnerability is a heap-based buffer overflow within libaom, an open-source library used for decoding AV1 video streams. An attacker can craft a malicious AV1 video file that, when processed by the vulnerable library, causes the application to write data beyond the boundaries of an allocated memory buffer on the heap. This memory corruption can be leveraged by a sophisticated attacker to crash the browser process for a denial-of-service attack or, more critically, to execute arbitrary code on the victim's system with the privileges of the sandboxed browser process.

This vulnerability is rated as High severity with a CVSS score of 8.8, reflecting the potential for remote code execution with minimal user interaction (visiting a webpage). Successful exploitation could lead to the compromise of employee workstations, resulting in the theft of sensitive corporate data, intellectual property, or user credentials. An attacker could also use a compromised machine as a beachhead to move laterally within the corporate network, install ransomware, or deploy persistent backdoors, posing a significant risk to the organization's security posture and operational integrity.

Immediate Action: The primary remediation is to apply vendor-supplied security updates immediately. All instances of Google Chrome should be updated to version 139 or later. System administrators should enforce this update through centralized management tools and verify compliance across all endpoints.

Proactive Monitoring: Security teams should actively monitor for signs of exploitation. This includes monitoring Endpoint Detection and Response (EDR) alerts for suspicious process creation originating from chrome.exe, unexpected browser crashes in system event logs, and unusual outbound network traffic from workstations to unknown or uncategorized IP addresses.

Compensating Controls: If immediate patching is not feasible, consider implementing the following controls:

• Utilize web filtering and DNS security to block access to untrusted and newly registered domains.
• Ensure endpoint security solutions (Antivirus/EDR) are up-to-date and configured for behavioral-based detection.
• Employ browser isolation technology to render web content in a secure, remote environment, preventing malicious code from reaching the endpoint.

Public Exploit Available: false

Given the high severity (CVSS 8.8) and the potential for remote code execution, this vulnerability poses a critical risk to the organization. We strongly recommend that all affected Google Chrome installations on corporate workstations be updated to version 139 or later with the highest priority. Although there is no current evidence of active exploitation, the widespread use of the affected software makes it a highly attractive target for future attacks. Proactive patching is the most effective defense and should be completed urgently to mitigate risk.