Remote code execution (RCE) vulnerabilities pose significant security threats, including data breaches, service outages, ransomware deployment, and unauthorized lateral movement across. Following the recent disclosure of CVE-2025-11001 and CVE-2025-11002, a couple of flaws in 7-Zip that could allow remote attackers to run arbitrary code and potentially gain full system control, another critical vulnerability with similar RCE potential has now emerged. Identified as CVE-2025-12036, the vulnerability stems from an inappropriate implementation within V8, Google’s open-source JavaScript and WebAssembly engine used by Chrome and other Chromium-based browsers.

As V8 executes JavaScript code within browsers, it plays a vital role in everyday web functionality, processing millions of code executions every day. Vulnerabilities in such a foundational component can open the door for attackers to steal sensitive data, deploy malware, or take control of affected systems. Just a month ago, another critical flaw in Chrome’s V8 JavaScript and WebAssembly engine, tracked as CVE-2025-10585, drew significant attention in the cybersecurity landscape. The previously uncovered flaw enabled attackers to execute malicious code on victims’ systems by enticing them to visit a compromised website containing crafted JavaScript. The emergence of another critical vulnerability in the same widely used software significantly heightens the exposure risk for users and underscores the need for swift defensive measures.

Register for SOC Prime Platform to unlock access to the global active threats feed that curates AI-native CTI and context-enriched detection content to preempt critical threats. All detections are compatible with industry-leading SIEM, EDR, and Data Lake platforms and are aligned with MITRE ATT&CK®. Moreover, each piece of content provides in-depth threat context for streamlined threat investigation, including CTI links, attack timelines, audit configurations, triage recommendations, and other relevant metadata. Click the Explore Detections button to access the comprehensive collection of detection algorithms to proactively defend against emerging and known vulnerabilities filtered by the “CVE” tag.

Explore Detections

Security teams can also take advantage of Uncoder AI to perform detection engineering tasks end-to-end. The solution enables defenders to convert IOCs into custom hunting queries in real time, seamlessly generate detection code from raw threat reports, visualize Attack Flow diagrams, apply AI-driven query optimization, and translate detections across diverse language formats—everything from a single place.

CVE-2025-12036 Analysis

Google has recently rolled out an emergency security update for its Chrome browser to fix a new Chrome V8 JavaScript engine vulnerability that could enable RCE on vulnerable systems. The vulnerability, identified as CVE-2025-12036, has been addressed in Chrome version 141.0.7390.122/.123 for Windows and macOS, and version 141.0.7390.122 for Linux.

The flaw was identified on October 15, 2025, by Google’s Big Sleep project, the company’s AI-driven cybersecurity research initiative. This discovery marks another major contribution from Google’s artificial intelligence systems to vulnerability detection efforts. The issue was described as an inappropriate implementation in V8, the open-source JavaScript and WebAssembly engine that powers Chrome and other Chromium-based browsers. Given the potential impact, CVE-2025-12036 was assessed as critical, underscoring the serious risks of its successful exploitation.

As a prompt CVE-2025-12036 mitigation measure, Google responded rapidly, issuing the fix just six days after discovery. The patch is currently being distributed to users via Chrome’s automatic update mechanism, with the rollout expected to reach all users within the next few weeks. Users are strongly encouraged to verify their browser version by navigating to Settings > About Chrome, where the browser automatically checks for and installs any pending updates. The vendor also emphasized that many Chrome vulnerabilities are detected using advanced automated security testing frameworks, such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL. These tools enable early detection of security flaws before they are exploited in the wild.

The latest vendor’s update is the only security patch included in the current stable channel release, highlighting the urgency with which Google prioritized the issue. Following its standard vulnerability disclosure policy, Google will withhold detailed technical information and access to related bug reports until most users have received the security update.

As the threat of vulnerability exploitation continues to grow, implementing proactive defense strategies is essential to enhance an organization’s overall cybersecurity resilience. By leveraging SOC Prime’s complete product suite backed by AI, automated capabilities, and real-time threat intelligence, global organizations can strengthen their defenses at scale and minimize the risks of exposure to critical threats.