Browser-Security

Google shipped ChromeOS Long-Term Support (LTS) 138.0.7204.296 (Platform 16295.81.0) on November 7, 2025, with security fixes for Safe Browsing (CVE-2025-11756), Storage (CVE-2025-11460), V8 (CVE-2025-12036), and libaom (CVE-2025-8879). Confirm the OS and platform versions during triage and push the update across your fleet. (chromereleases.googleblog.com)

Intrusion Flow

• Likely initial vector: drive-by or content rendering via the Chrome browser on ChromeOS that triggers memory-safety bugs in browser components (Safe Browsing, Storage, V8) or the AV1 codec library (libaom), leading to crash or potential code execution in the browser context. Chrome Stable channel notes for CVE-2025-11756 (Safe Browsing) and CVE-2025-11460 (Storage) confirm high-severity use-after-free issues; CVE-2025-12036 is an “inappropriate implementation” in V8; CVE-2025-8879 is a heap buffer overflow in libaom. (chromereleases.googleblog.com)
• On ChromeOS, crashes and related telemetry are collected by crash-reporter; browser and system crashes produce minidumps and logs in specific locations (see “Key Artifacts”). (chromium.googlesource.com)
• Update application is handled by update_engine; successful or failed updates leave traces in update_engine logs. (chromium.googlesource.com)

Key Artifacts to Pull

• Version and channel evidence
  • UI: Settings > About ChromeOS (records current ChromeOS version) and chrome://version (shows browser and platform versions). Capture screenshots or export the page during triage. (chromium.org)
  • Admin inventory: ChromeOS device records expose osVersion and platformVersion via the Directory API. Pull device lists or per-device records to validate fleet posture. (developers.google.com)
• Update traces
  • update_engine logs at /var/log/update_engine and the active symlink /var/log/update_engine.log. These record payload URL, state transitions, success/failure, and rollback markers. (chromium.googlesource.com)
• Browser/system logs
  • Chrome logs before login: /var/log/chrome/chrome; after login (non-test images): /home/chronos/user/log/chrome; early Chrome startup: /var/log/ui/ui.LATEST. (chromium.googlesource.com)
  • System logs: /var/log/messages and related rsyslog outputs can clarify browser startup/shutdown and service behavior. (chromium.googlesource.com)
• Crash evidence
  • Crash report storage: system crashes in /var/spool/crash/; user-session crashes under /run/daemon-store/crash/<user_hash>/; logged-out Chrome crashes in /home/chronos/crash/. Also check /var/log/chrome/Crash\ Reports/uploads.log for upload status. (chromium.googlesource.com)
  • chrome://crashes shows IDs when user consented to crash reporting; minidumps can be symbolized with tast symbolize for deeper analysis. (chromium.org)

Detection Notes

• Hunt for crash spikes or recurring signatures matching affected components:
  • Strings to grep in Chrome logs and minidumps: “SafeBrowsing”, “storage”, “V8”, “libaom”, “aom”. Combine with timestamps around user browsing sessions. Use Chrome logs and crash directories noted above. (chromium.googlesource.com)
• Correlate update success/failure with exploitation windows:
  • Parse /var/log/update_engine.log for state=UPDATED_BUT_DEFERRED, failures, or rollbacks; align with crash timestamps to spot exposure pre-patch. (chromium.googlesource.com)
• Fleet-level posture:
  • Query the Admin Directory API for devices not yet at Chrome 138.0.7204.296 (LTS milestone 138) using version search operators (example below). Device records also return platformVersion for cross-checks. (developers.google.com)

Example Directory API filter (Admin console/API search syntax supports prefix matching on Chrome version):