Chrome 0-day discovered by LLM analysis - CVE-2025-9478 - low level
-
Discovered with google bigsleep https://www.vice.com/en/article/google-big-sleep-first-ai-to-ever-prevent-cyberattack/
Security linting is a great use-case for these tools
Here is a related writeup to the SMB use after free https://sean.heelan.io/2025/05/22/how-i-used-o3-to-find-cve-2025-37899-a-remote-zeroday-vulnerability-in-the-linux-kernels-smb-implementation/
Of course, part of that wiring will be figuring out how to deal with the the signal to noise ratio of ~1:50 in this case, but that’s something we are already making progress at.
So big sleep probably had lots of human help as well
:::spoiler Summary Provided By AI LLM NoteGPT.io
Summary
The video discusses a critical security vulnerability found in Google Chrome, specifically a use-after-free bug in the Angle graphics engine, which is responsible for interacting with the GPU to render 2D and 3D graphics through WebGL. This vulnerability, identified as CVE-2025-9478, was discovered by Google's internal AI tool called Google Big Sleep, a collaboration between Google DeepMind and Project Zero, highlighting the growing role of AI in security research.
The presenter explains the nature of use-after-free vulnerabilities using a simplified example with "cat" and "dog" structures in memory, illustrating how memory misuse occurs when freed memory is accessed again, leading to potential crashes or security exploits via type confusion. The video also emphasizes the complexity of these vulnerabilities and the challenges in discovering them using traditional and automated methods.
Furthermore, the video promotes the presenter’s educational courses on low-level programming (C and assembly) as foundational knowledge for understanding such vulnerabilities. It also critiques the current state of AI-driven vulnerability research, noting that while AI can find bugs, the signal-to-noise ratio is low, meaning many of the AI’s bug reports are false positives, and human triage is still essential. The video concludes by encouraging viewers interested in memory corruption and security research to explore further resources like Stack Smash.
Highlights
The critical use-after-free vulnerability (CVE-2025-9478) exists in the Angle graphics engine of Google Chrome.
The bug was discovered by Google’s AI tool, Google Big Sleep, showcasing AI’s growing role in cybersecurity.- 🧠 Use-after-free bugs involve accessing memory after it has been freed, causing crashes or security risks through type confusion.
Google Project Zero and DeepMind collaboration is pioneering AI-driven vulnerability discovery.
️ AI vulnerability detection suffers from a high false positive rate, with only 1 in 50 reported bugs being valid.
Mastering low-level programming languages like C and assembly is essential for understanding and exploiting these bugs.
Use-after-free vulnerabilities are complex because they require triggering specific program states, making AI assistance valuable but challenging.
Key Insights
-
Angle's Role in Chrome’s Graphics Rendering: Angle acts as a bridge between the browser and GPU hardware, enabling the use of WebGL to render graphics. Vulnerabilities here directly impact how Chrome interacts with hardware, making bugs like use-after-free especially critical because they can lead to memory corruption, crashes, or code execution. Understanding this component is vital for grasping the severity of such a vulnerability. -
🧩 Use-After-Free Vulnerabilities and Type Confusion: The video’s analogy with "cat" and "dog" structures clarifies how type confusion arises from use-after-free errors. When memory allocated for one object is freed and then reallocated for another, improper checks can cause the program to misinterpret data structures, potentially allowing attackers to leak or manipulate memory. This insight highlights why these bugs are notoriously difficult to detect and exploit yet highly dangerous.
-
AI’s Emerging Role in Security Research: The discovery of this Chrome vulnerability by Google’s Big Sleep AI tool represents a significant shift in vulnerability research methodology. AI can automate the detection of complex bugs across massive codebases, offering potential efficiency gains over manual analysis. However, the technology is still nascent, and its practical application requires balancing AI-generated leads with expert human verification.
-
️ Challenges with AI-Driven Bug Detection: The presenter references Sean Healin’s blog to emphasize the difficulty AI faces in accurately identifying real vulnerabilities amid numerous false positives. A signal-to-noise ratio of 1:50 means researchers must sift through many irrelevant or incorrect reports, complicating the triage process and potentially slowing down productivity. This underlines that AI is a tool to augment, not replace, human expertise in security research.
-
🧠 Importance of Low-Level Programming Knowledge: The video insists on the necessity of understanding low-level concepts like memory management, pointers, and assembly language to truly grasp how use-after-free and other memory corruption bugs function. This foundational knowledge empowers security professionals to write better exploits, perform deeper analyses, and comprehend the inner workings of vulnerabilities beyond surface-level symptoms.
-
Complexity of Use-After-Free Exploits: Unlike simpler bugs, use-after-free vulnerabilities require the attacker to manipulate program state precisely, freeing memory and then forcing the program to use it incorrectly. This makes automatic detection and exploitation challenging, as many conditions must align perfectly. AI can help navigate this complexity but also struggles with the context sensitivity involved.
-
Future of AI in Cybersecurity Research: Collaboration between AI research (DeepMind) and elite security teams (Project Zero) suggests that future vulnerability discovery will increasingly rely on AI-assisted tools. While current tools like Big Sleep have limitations, ongoing improvements could make AI indispensable in uncovering subtle bugs faster than ever before, reshaping how the cybersecurity industry approaches threat detection and mitigation.
Conclusion
This video offers a comprehensive exploration of a real-world, critical Chrome vulnerability discovered by AI, providing valuable educational insights into use-after-free bugs, the role of AI in modern security research, and the importance of foundational programming knowledge. It balances excitement about AI’s potential with realistic caution about its current limitations, encouraging viewers to deepen their understanding of low-level programming and security fundamentals to thrive in this evolving field.
:::
