Google has released an out-of-band security update for Google Chrome to close a new zero-day vulnerability that is already being exploited in real-world attacks. This is the eighth actively exploited 0-day in Chrome since the beginning of 2025, underscoring the browser’s status as a prime target for attackers.
Urgent Chrome security update: affected versions and platforms
The emergency patch is being rolled out to all major desktop platforms. The fix is included in the following Chrome versions:
Windows: Chrome 143.0.7499.109
macOS: Chrome 143.0.7499.110
Linux: Chrome 143.0.7499.109
According to Google, the update has been made available to most users, but full rollout may take several days due to staged deployment. In the context of an actively exploited zero-day, postponing the update significantly increases risk, especially in corporate environments where browsers are exposed to phishing, drive‑by downloads, and targeted attacks.
Unusual anonymous Chrome 0-day: no CVE, internal tracking only
One of the most notable aspects of this incident is the absence of a public CVE identifier. The vulnerability is temporarily tracked by Google under the internal ID 466192044 with the status “under coordination”. This typically means Google is coordinating technical disclosure and attribution with external partners or other software vendors.
At the time of writing, Google has not disclosed who reported the bug, how long it has been known, or which exact Chrome component was initially affected. The company only states that the severity is rated as high, implying that successful exploitation can lead at least to the compromise of user data confidentiality or integrity.
LibANGLE, Metal renderer and a high‑risk buffer overflow
Public information from the Chromium bug tracker indicates that the root cause lies in LibANGLE — an open-source translation layer that converts OpenGL ES calls into other graphics APIs such as Direct3D, Vulkan and Metal. LibANGLE is a critical component in delivering cross‑platform graphics support in Chrome.
The issue is described as a buffer overflow in the Metal renderer triggered by improper handling of buffer sizes. In practice, this kind of memory management flaw can result in:
– Memory corruption in the rendering process;
– Potential leakage of sensitive data from memory;
– Arbitrary code execution within the renderer’s context.
Buffer overflows are among the most dangerous classes of vulnerabilities. In a modern browser, such flaws are particularly critical because they can be chained with other bugs to bypass the sandbox and move from the isolated rendering process to broader access on the underlying operating system.
How attackers typically weaponize Chrome bugs
Security researchers note that the new vulnerability is likely exploitable in ways similar to type confusion and use‑after‑free bugs, which are common in the V8 JavaScript engine and graphics subsystems. Many successful Chrome zero‑day attack chains combine such memory safety issues to:
– Achieve remote code execution in the renderer process;
– Escape the sandbox and escalate privileges;
– Deploy spyware, steal authentication tokens, or gain persistent access.
Google is deliberately limiting the amount of technical detail shared at this stage. This is a standard defensive practice designed to delay the creation of reliable exploits by additional threat actors who may not yet possess a working attack chain.
Eight Chrome zero-days already in 2025: browser attacks remain a top threat
Since the beginning of 2025, Google has already fixed seven zero-day vulnerabilities in Chrome; this anonymous LibANGLE issue is the eighth. For comparison, Google addressed 10 zero‑days in Chrome during all of 2024, some of which were demonstrated at the Pwn2Own hacking contest, while others were discovered amid active targeted attacks.
This trend aligns with observations from multiple industry reports: modern web browsers are one of the main entry points for intrusions. The reasons are straightforward — a massive global user base, extremely complex code with many third‑party integrations, and direct access to sensitive data, credentials, and cloud services.
What users and organizations should do now
Immediate steps: patching and update management
The most effective mitigation, until more technical details are published, is to update Google Chrome to the latest available version without delay on all workstations and servers where the browser is installed. For enterprises, this should be treated as a priority security change.
Recommended actions include:
– Ensure automatic updates are enabled and verify the installed Chrome version;
– Use centralized update management (e.g., domain policies, configuration management tools) to enforce timely patching;
– Restrict browser extensions and plugins to vetted sources only, reducing the attack surface;
– Segment high‑risk user groups (administrators, finance, legal, executives) onto hardened workstations and stricter browsing policies;
– Regularly train staff in security awareness to reduce the success of phishing and social engineering that often deliver browser‑based exploits.
Frequent browser zero‑days are not a reason for panic, but they are a clear reminder that security is an ongoing process, not a one‑time action. Consistent patch management, careful browser configuration, and layered defenses — from endpoint protection to network segmentation — significantly reduce the chances that a new Chrome zero‑day will turn into a successful compromise of systems or data.
