Chrome hit by in-the-wild ANGLE zero-day; update now

Chrome hit by in-the-wild ANGLE zero-day; update now
December 11, 2025 at 12:00 AM

Google has released emergency Chrome patches for three security issues, including a high-severity vulnerability already exploited in the wild. Initially kept under wraps, the flaw is now tracked as CVE-2025-14174 (CVSS 8.8) and described as an out-of-bounds memory access in the ANGLE graphics library.

What happened

  • Google confirmed active exploitation of the bug and withheld details initially to protect users while fixes roll out.
  • A linked Chromium commit indicates the issue stems from improper buffer sizing in ANGLE’s Metal renderer, likely enabling buffer overflow, memory corruption, crashes, or even arbitrary code execution.
  • Apple Security Engineering and Architecture (SEAR) and Google Threat Analysis Group (TAG) reported the issue on December 5, 2025.

CISA action

  • CISA added CVE-2025-14174 to its Known Exploited Vulnerabilities catalog.
  • Federal Civilian Executive Branch agencies must patch by January 2, 2026.
  • CISA warns a crafted HTML page could trigger out-of-bounds memory access in Chromium via ANGLE.

Update now

  • Windows and macOS: update to Chrome 143.0.7499.109 or 143.0.7499.110.
  • Linux: update to Chrome 143.0.7499.109.
  • To check your version: go to More > Help > About Google Chrome and relaunch after the update is applied.
  • Users of Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi) should apply their respective updates as they become available.

Additional fixes in this release

  • CVE-2025-14372: Use-after-free in Password Manager (medium severity).
  • CVE-2025-14373: Inappropriate implementation in Toolbar (medium severity).

Year-to-date zero-day tally
With this release, Google says it has addressed eight Chrome zero-days that were exploited or shown as proof-of-concept this year, including: CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, CVE-2025-6554, CVE-2025-6558, CVE-2025-10585, CVE-2025-13223, and now CVE-2025-14174.

Bottom line
An actively exploited ANGLE zero-day affecting Chrome and other Chromium browsers is now patched. Update immediately and restart your browser to stay protected.

Source: The Hacker News

Back…