SB20251112167 - Multiple vulnerabilities in Prisma Access Browser

Description

This security bulletin contains information about 23 secuirty vulnerabilities.

1) Improperly implemented security check for standard (CVE-ID: CVE-2025-12440)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Autofill in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

2) Spoofing attack (CVE-ID: CVE-2025-12447)

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input in Omnibox in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and spoof web page content.

3) Spoofing attack (CVE-ID: CVE-2025-12446)

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input in SplitView in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and spoof web page content.

4) Protection Mechanism Failure (CVE-ID: CVE-2025-12445)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient implementation of security measures in Extensions. A remote attacker can bypass implemented security restrictions.

5) Spoofing attack (CVE-ID: CVE-2025-12444)

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input in Fullscreen UI in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and spoof web page content.

6) Out-of-bounds read (CVE-ID: CVE-2025-12443)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the WebXR component in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger an out-of-bounds read error and gain access to sensitive information.

7) Out-of-bounds read (CVE-ID: CVE-2025-12441)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the V8 component in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger an out-of-bounds read error and gain access to sensitive information.

8) Improperly implemented security check for standard (CVE-ID: CVE-2025-12439)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in App-Bound Encryption in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

9) Type Confusion (CVE-ID: CVE-2025-12428)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error within the V8 component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

10) Use-after-free (CVE-ID: CVE-2025-12438)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Ozone in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

11) Use-after-free (CVE-ID: CVE-2025-12437)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within PageInfo in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

12) Improper access control (CVE-ID: CVE-2025-12436)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to improper access restrictions in Extensions. A remote attacker can create a specially crafted web page, trick the victim into visiting it, bypass implemented security restrictions and gain unauthorized access to sensitive information.

13) Spoofing attack (CVE-ID: CVE-2025-12435)

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input in Omnibox in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and spoof web page content.

14) Race condition (CVE-ID: CVE-2025-12434)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to a race condition in Storage in Google Chrome. A remote attacker can trick the victim to open a specially crafted web page and bypass implemented security restrictions.

15) Improperly implemented security check for standard (CVE-ID: CVE-2025-12036)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to incorrect implementation in V8 in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.

16) Improperly implemented security check for standard (CVE-ID: CVE-2025-12433)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to incorrect implementation in V8 in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.

17) Race condition (CVE-ID: CVE-2025-12432)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a race condition in V8 in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage and execute arbitrary code on the target system.

18) Improperly implemented security check for standard (CVE-ID: CVE-2025-12431)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to incorrect implementation in Extensions in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.

19) Improper control of a resource through its lifetime (CVE-ID: CVE-2025-12430)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper control of object lifetime in Media in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage, trigger a stack-based buffer overflow and execute arbitrary code on the system.

20) Improperly implemented security check for standard (CVE-ID: CVE-2025-12429)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to incorrect implementation in V8 in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.

21) Input validation error (CVE-ID: CVE-2025-4616)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code on the system.

22) Protection Mechanism Failure (CVE-ID: CVE-2025-4617)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement. An attacker can trick the victim into opening a specially crafted website and bypass implemented security restrictions.

23) Information disclosure (CVE-ID: CVE-2025-4618)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can trick the victim into visiting a specially crafted website and gain access to sensitive information.

Remediation

Install update from vendor's website.

References

• https://security.paloaltonetworks.com/PAN-SA-2025-0018