A serious security vulnerability has recently been uncovered in the underlying technology powering most of the world’s web browsers, placing over four billion devices at risk of a data leak. The flaw was discovered by autonomous security specialist AISLE, which rated the issue as Medium severity (4.3). Despite its rating, the scale of exposure was enormous, as it affected all major browsers built on the Chromium code base—including Google Chrome, Microsoft Edge, Brave, and Opera.
The vulnerability stemmed from WebXR, a framework that enables websites to deliver immersive Virtual Reality (VR) and Augmented Reality (AR) experiences directly in the browser. AISLE’s autonomous analyzer detected the flaw in October 2025, revealing that it had silently persisted in the code for seven months before discovery.
At its core, the glitch was subtle but dangerous: during a 3D transformation, the browser failed to properly handle a small piece of data. This oversight caused the system to read 64 unintended bytes of adjacent memory, exposing sensitive information.
Security researcher Stanislav Fort explained that the leaked values revealed nearby heap memory, including pointer data—information attackers could exploit to bypass protective measures. Importantly, the attack required user interaction, such as clicking to initiate a VR session on a malicious webpage, making it a targeted but credible threat.
Chromium-based browsers dominate the global market, powering more than 70% of web usage. With Google Chrome alone installed on over three billion devices, the vulnerability touched virtually every Windows laptop, Android phone, and countless other platforms.
After AISLE responsibly disclosed the issue on October 15, 2025, Google acted with remarkable speed. A fix was pushed within 24 hours, and the stable version of Chrome was updated just 13 days later, on October 28, 2025. This swift action highlights Google’s commitment to proactive security management.
The vulnerability, now catalogued as CVE-2025-12443, has been patched. However, users must ensure their browsers are updated to the latest version to remain protected. Failing to update leaves devices exposed to potential exploitation, even if the flaw is no longer active in current builds.
