Update: The vulnerability has been formally assigned CVE-2025-14174 and added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. The same CVE was coordinated with Apple, which patched the corresponding WebKit bug simultaneously. All Chromium-based browsers (Microsoft Edge, Brave, Opera) are also affected.
Google released an out-of-band security update for Google Chrome to close a new zero-day vulnerability already being exploited in real-world attacks. This is the eighth actively exploited 0-day in Chrome in 2025, and the flaw was also coordinated with Apple, which patched the same bug (CVE-2025-14174) in WebKit simultaneously.
Urgent Chrome security update: affected versions and platforms
The emergency patch is being rolled out to all major desktop platforms. The fix is included in the following Chrome versions:
Windows: Chrome 143.0.7499.109
macOS: Chrome 143.0.7499.110
Linux: Chrome 143.0.7499.109
According to Google, the update has been made available to most users, but full rollout may take several days due to staged deployment. In the context of an actively exploited zero-day, postponing the update significantly increases risk, especially in corporate environments where browsers are exposed to phishing, drive‑by downloads, and targeted attacks.
Unusual anonymous Chrome 0-day: no CVE, internal tracking only
One of the most notable aspects of this incident is the absence of a public CVE identifier. The vulnerability is temporarily tracked by Google under the internal ID 466192044 with the status “under coordination”. This typically means Google is coordinating technical disclosure and attribution with external partners or other software vendors.
At the time of writing, Google has not disclosed who reported the bug, how long it has been known, or which exact Chrome component was initially affected. The company only states that the severity is rated as high, implying that successful exploitation can lead at least to the compromise of user data confidentiality or integrity.
LibANGLE, Metal renderer and a high‑risk buffer overflow
Public information from the Chromium bug tracker indicates that the root cause lies in LibANGLE — an open-source translation layer that converts OpenGL ES calls into other graphics APIs such as Direct3D, Vulkan and Metal. LibANGLE is a critical component in delivering cross‑platform graphics support in Chrome.
The issue is described as a buffer overflow in the Metal renderer triggered by improper handling of buffer sizes. In practice, this kind of memory management flaw can result in:
- Memory corruption in the rendering process;
- Potential leakage of sensitive data from memory;
- Arbitrary code execution within the renderer’s context.
Buffer overflows are among the most dangerous classes of vulnerabilities. In a modern browser, such flaws are particularly critical because they can be chained with other bugs to bypass the sandbox and move from the isolated rendering process to broader access on the underlying operating system.
How attackers typically weaponize Chrome bugs
Security researchers note that the new vulnerability is likely exploitable in ways similar to type confusion and use‑after‑free bugs, which are common in the V8 JavaScript engine and graphics subsystems. Many successful Chrome zero‑day attack chains combine such memory safety issues to:
- Achieve remote code execution in the renderer process;
- Escape the sandbox and escalate privileges;
- Deploy spyware, steal authentication tokens, or gain persistent access.
Google is deliberately limiting the amount of technical detail shared at this stage. This is a standard defensive practice designed to delay the creation of reliable exploits by additional threat actors who may not yet possess a working attack chain.
Eight Chrome zero-days already in 2025: browser attacks remain a top threat
Since the beginning of 2025, Google has already fixed seven zero-day vulnerabilities in Chrome; this anonymous LibANGLE issue is the eighth. For comparison, Google addressed 10 zero‑days in Chrome during all of 2024, some of which were demonstrated at the Pwn2Own hacking contest, while others were discovered amid active targeted attacks.
This trend aligns with observations from multiple industry reports: modern web browsers are one of the main entry points for intrusions. The reasons are straightforward — a massive global user base, extremely complex code with many third‑party integrations, and direct access to sensitive data, credentials, and cloud services.
Which browsers and platforms carry CVE-2025-14174 exposure
All users of Google Chrome prior to version 143.0.7499.109/110 are affected, across Windows, macOS, and Linux. Because CVE-2025-14174 is in ANGLE, the graphics abstraction layer shared across the Chromium project, other Chromium-based browsers are also vulnerable: Microsoft Edge, Brave, Opera, and any browser built on Chromium without their own ANGLE fork. Organizations using Edge as their enterprise default browser are equally exposed. The vulnerability is particularly dangerous on macOS where the Metal renderer path is used.
What users and organizations should do now
Immediate steps: patching and update management
The most effective mitigation, until more technical details are published, is to update Google Chrome to the latest available version without delay on all workstations and servers where the browser is installed. For enterprises, this should be treated as a priority security change.
Recommended actions include:
- Ensure automatic updates are enabled and verify the installed Chrome version;
- Use centralized update management (e.g., domain policies, configuration management tools) to enforce timely patching;
- Restrict browser extensions and plugins to vetted sources only, reducing the attack surface;
- Segment high-risk user groups such as administrators, finance, legal, and executives onto hardened workstations and stricter browsing policies;
- Regularly train staff in security awareness to reduce the success of phishing and social engineering that often deliver browser-based exploits.
Given CISA’s KEV listing, federal agencies must apply the patch by the CISA-specified deadline. For all other organizations, this is a critical-priority update: check the BleepingComputer coverage for the full timeline and version details.
