Security update for chromium SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:20020-1 Final 1 1 2025-10-15T13:33:21Z current 2025-10-15T13:33:21Z 2025-10-15T13:33:21Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for chromium This update for chromium fixes the following issues: Chromium 141.0.7390.76: * Do not send URLs as AIM input. This is to resolve a privacy concern, around passing urls to AI Mode. Chromium 141.0.7390.65 (boo#1251334): * CVE-2025-11458: Heap buffer overflow in Sync * CVE-2025-11460: Use after free in Storage * CVE-2025-11211: Out of bounds read in WebCodecs Chromium 141.0.7390.54 (stable released 2025-09-30) (boo#1250780) * CVE-2025-11205: Heap buffer overflow in WebGPU * CVE-2025-11206: Heap buffer overflow in Video * CVE-2025-11207: Side-channel information leakage in Storage * CVE-2025-11208: Inappropriate implementation in Media * CVE-2025-11209: Inappropriate implementation in Omnibox * CVE-2025-11210: Side-channel information leakage in Tab * CVE-2025-11211: Out of bounds read in Media * CVE-2025-11212: Inappropriate implementation in Media * CVE-2025-11213: Inappropriate implementation in Omnibox * CVE-2025-11215: Off by one error in V8 * CVE-2025-11216: Inappropriate implementation in Storage * CVE-2025-11219: Use after free in V8 * Various fixes from internal audits, fuzzing and other initiatives Chromium 141.0.7390.37 (beta released 2025-09-24) Chromium 140.0.7339.207 (boo#1250472) * CVE-2025-10890: Side-channel information leakage in V8 * CVE-2025-10891: Integer overflow in V8 * CVE-2025-10892: Integer overflow in V8 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Leap-16.0-packagehub-1 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1250472 SUSE Bug 1250472 https://bugzilla.suse.com/1250780 SUSE Bug 1250780 https://bugzilla.suse.com/1251334 SUSE Bug 1251334 https://www.suse.com/security/cve/CVE-2025-10890/ SUSE CVE CVE-2025-10890 page https://www.suse.com/security/cve/CVE-2025-10891/ SUSE CVE CVE-2025-10891 page https://www.suse.com/security/cve/CVE-2025-10892/ SUSE CVE CVE-2025-10892 page https://www.suse.com/security/cve/CVE-2025-11205/ SUSE CVE CVE-2025-11205 page https://www.suse.com/security/cve/CVE-2025-11206/ SUSE CVE CVE-2025-11206 page https://www.suse.com/security/cve/CVE-2025-11207/ SUSE CVE CVE-2025-11207 page https://www.suse.com/security/cve/CVE-2025-11208/ SUSE CVE CVE-2025-11208 page https://www.suse.com/security/cve/CVE-2025-11209/ SUSE CVE CVE-2025-11209 page https://www.suse.com/security/cve/CVE-2025-11210/ SUSE CVE CVE-2025-11210 page https://www.suse.com/security/cve/CVE-2025-11211/ SUSE CVE CVE-2025-11211 page https://www.suse.com/security/cve/CVE-2025-11212/ SUSE CVE CVE-2025-11212 page https://www.suse.com/security/cve/CVE-2025-11213/ SUSE CVE CVE-2025-11213 page https://www.suse.com/security/cve/CVE-2025-11215/ SUSE CVE CVE-2025-11215 page https://www.suse.com/security/cve/CVE-2025-11216/ SUSE CVE CVE-2025-11216 page https://www.suse.com/security/cve/CVE-2025-11219/ SUSE CVE CVE-2025-11219 page https://www.suse.com/security/cve/CVE-2025-11458/ SUSE CVE CVE-2025-11458 page https://www.suse.com/security/cve/CVE-2025-11460/ SUSE CVE CVE-2025-11460 page openSUSE Leap 16.0 chromedriver-141.0.7390.76-bp160.1.1 chromium-141.0.7390.76-bp160.1.1 chromedriver-141.0.7390.76-bp160.1.1 as a component of openSUSE Leap 16.0 chromium-141.0.7390.76-bp160.1.1 as a component of openSUSE Leap 16.0 Side-channel information leakage in V8 in Google Chrome prior to 140.0.7339.207 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) CVE-2025-10890 openSUSE Leap 16.0:chromedriver-141.0.7390.76-bp160.1.1 openSUSE Leap 16.0:chromium-141.0.7390.76-bp160.1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-10890.html CVE-2025-10890 https://bugzilla.suse.com/1250472 SUSE Bug 1250472 Integer overflow in V8 in Google Chrome prior to 140.0.7339.207 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) CVE-2025-10891 openSUSE Leap 16.0:chromedriver-141.0.7390.76-bp160.1.1 openSUSE Leap 16.0:chromium-141.0.7390.76-bp160.1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-10891.html CVE-2025-10891 https://bugzilla.suse.com/1250472 SUSE Bug 1250472 Integer overflow in V8 in Google Chrome prior to 140.0.7339.207 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) CVE-2025-10892 openSUSE Leap 16.0:chromedriver-141.0.7390.76-bp160.1.1 openSUSE Leap 16.0:chromium-141.0.7390.76-bp160.1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-10892.html CVE-2025-10892 https://bugzilla.suse.com/1250472 SUSE Bug 1250472 Heap buffer overflow in WebGPU in Google Chrome prior to 141.0.7390.54 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) CVE-2025-11205 openSUSE Leap 16.0:chromedriver-141.0.7390.76-bp160.1.1 openSUSE Leap 16.0:chromium-141.0.7390.76-bp160.1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11205.html CVE-2025-11205 https://bugzilla.suse.com/1250780 SUSE Bug 1250780 Heap buffer overflow in Video in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) CVE-2025-11206 openSUSE Leap 16.0:chromedriver-141.0.7390.76-bp160.1.1 openSUSE Leap 16.0:chromium-141.0.7390.76-bp160.1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11206.html CVE-2025-11206 https://bugzilla.suse.com/1250780 SUSE Bug 1250780 Side-channel information leakage in Storage in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Medium) CVE-2025-11207 openSUSE Leap 16.0:chromedriver-141.0.7390.76-bp160.1.1 openSUSE Leap 16.0:chromium-141.0.7390.76-bp160.1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11207.html CVE-2025-11207 https://bugzilla.suse.com/1250780 SUSE Bug 1250780 Inappropriate implementation in Media in Google Chrome prior to 141.0.7390.54 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) CVE-2025-11208 openSUSE Leap 16.0:chromedriver-141.0.7390.76-bp160.1.1 openSUSE Leap 16.0:chromium-141.0.7390.76-bp160.1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11208.html CVE-2025-11208 https://bugzilla.suse.com/1250780 SUSE Bug 1250780 Inappropriate implementation in Omnibox in Google Chrome on Android prior to 141.0.7390.54 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium) CVE-2025-11209 openSUSE Leap 16.0:chromedriver-141.0.7390.76-bp160.1.1 openSUSE Leap 16.0:chromium-141.0.7390.76-bp160.1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11209.html CVE-2025-11209 https://bugzilla.suse.com/1250780 SUSE Bug 1250780 Side-channel information leakage in Tab in Google Chrome prior to 141.0.7390.54 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) CVE-2025-11210 openSUSE Leap 16.0:chromedriver-141.0.7390.76-bp160.1.1 openSUSE Leap 16.0:chromium-141.0.7390.76-bp160.1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11210.html CVE-2025-11210 https://bugzilla.suse.com/1250780 SUSE Bug 1250780 Out of bounds read in Media in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium) CVE-2025-11211 openSUSE Leap 16.0:chromedriver-141.0.7390.76-bp160.1.1 openSUSE Leap 16.0:chromium-141.0.7390.76-bp160.1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11211.html CVE-2025-11211 https://bugzilla.suse.com/1250780 SUSE Bug 1250780 Inappropriate implementation in Media in Google Chrome on Windows prior to 141.0.7390.54 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium) CVE-2025-11212 openSUSE Leap 16.0:chromedriver-141.0.7390.76-bp160.1.1 openSUSE Leap 16.0:chromium-141.0.7390.76-bp160.1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11212.html CVE-2025-11212 https://bugzilla.suse.com/1250780 SUSE Bug 1250780 Inappropriate implementation in Omnibox in Google Chrome on Android prior to 141.0.7390.54 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium) CVE-2025-11213 openSUSE Leap 16.0:chromedriver-141.0.7390.76-bp160.1.1 openSUSE Leap 16.0:chromium-141.0.7390.76-bp160.1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11213.html CVE-2025-11213 https://bugzilla.suse.com/1250780 SUSE Bug 1250780 Off by one error in V8 in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) CVE-2025-11215 openSUSE Leap 16.0:chromedriver-141.0.7390.76-bp160.1.1 openSUSE Leap 16.0:chromium-141.0.7390.76-bp160.1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11215.html CVE-2025-11215 https://bugzilla.suse.com/1250780 SUSE Bug 1250780 Inappropriate implementation in Storage in Google Chrome on Mac prior to 141.0.7390.54 allowed a remote attacker to perform domain spoofing via a crafted video file. (Chromium security severity: Low) CVE-2025-11216 openSUSE Leap 16.0:chromedriver-141.0.7390.76-bp160.1.1 openSUSE Leap 16.0:chromium-141.0.7390.76-bp160.1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11216.html CVE-2025-11216 https://bugzilla.suse.com/1250780 SUSE Bug 1250780 Use after free in V8 in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Low) CVE-2025-11219 openSUSE Leap 16.0:chromedriver-141.0.7390.76-bp160.1.1 openSUSE Leap 16.0:chromium-141.0.7390.76-bp160.1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11219.html CVE-2025-11219 https://bugzilla.suse.com/1250780 SUSE Bug 1250780 Heap buffer overflow in Sync in Google Chrome prior to 141.0.7390.65 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High) CVE-2025-11458 openSUSE Leap 16.0:chromedriver-141.0.7390.76-bp160.1.1 openSUSE Leap 16.0:chromium-141.0.7390.76-bp160.1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11458.html CVE-2025-11458 https://bugzilla.suse.com/1251334 SUSE Bug 1251334 Use after free in Storage in Google Chrome prior to 141.0.7390.65 allowed a remote attacker to execute arbitrary code via a crafted video file. (Chromium security severity: High) CVE-2025-11460 openSUSE Leap 16.0:chromedriver-141.0.7390.76-bp160.1.1 openSUSE Leap 16.0:chromium-141.0.7390.76-bp160.1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11460.html CVE-2025-11460 https://bugzilla.suse.com/1251334 SUSE Bug 1251334