Google Chrome Zero-Day Vulnerability Patched Amid Active Exploitation
Google has released an emergency security update for Chrome to address a newly discovered zero-day vulnerability that was actively exploited in the wild. This marks the eighth zero-day flaw patched in Chrome in 2025, with the latest vulnerability identified as a buffer overflow in the open-source LibANGLE library, specifically affecting the Metal renderer. The flaw could allow attackers to achieve memory corruption, crash the browser, leak sensitive information, or execute arbitrary code. The update is being rolled out to users on Windows, macOS, and Linux, though Google notes that full deployment may take several days or weeks.
Google has withheld detailed technical information and the CVE identifier for the vulnerability to protect users until a majority have updated their browsers. The company confirmed that exploits for the vulnerability were observed in the wild and urges users to update Chrome as soon as possible. Users can either manually update their browsers or rely on automatic updates, which will apply the patch after the next browser restart.
Timeline
Dec 11, 2025
Apple patches CVE-2025-14174 across its operating systems
An update to reporting on the Chrome zero-day said Apple also fixed CVE-2025-14174 across iOS, iPadOS, macOS, tvOS, watchOS, and visionOS. This indicated the vulnerability affected software beyond Chrome and had been addressed in Apple's platforms as well.
Dec 11, 2025
Google discloses fixed Chrome versions and limits technical details
Google said the patched Chrome versions were rolling out as 143.0.7499.109 for Windows and Linux and 143.0.7499.110 for macOS. The company also restricted technical details about the vulnerability until a majority of users had updated.
Dec 11, 2025
Google releases emergency Chrome update for exploited zero-day
Google released emergency Stable Desktop updates for Chrome to fix a high-severity zero-day vulnerability that was being actively exploited in the wild. The flaw, initially referenced as bug 466192044 and later tracked as CVE-2025-14174, affected the ANGLE/LibANGLE Metal renderer.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
Related Stories
Active Exploitation of Undisclosed Chrome Zero-Day Vulnerability
Google has released urgent security updates for the Chrome browser to address a high-severity vulnerability that is being actively exploited in the wild. The flaw, tracked internally as issue 466192044, remains undisclosed in terms of its technical details, affected component, and CVE identifier, as Google is withholding this information to protect users while patches are deployed. Alongside this critical issue, two other medium-severity vulnerabilities—CVE-2025-14372 (use-after-free in Password Manager) and CVE-2025-14373 (inappropriate implementation in Toolbar)—were also fixed. Users of Chrome and other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are strongly advised to update to the latest versions to mitigate risk. Security researchers have identified that the actively exploited vulnerability involves type confusion issues in Chrome’s V8 JavaScript engine, which can allow attackers to manipulate memory and potentially execute arbitrary code simply by luring users to malicious or compromised websites. With Chrome’s vast user base, the exposure is significant, and attackers are known to exploit such flaws before most users have updated. Google and security experts emphasize the importance of promptly applying browser updates and restarting Chrome to ensure protection against these in-the-wild attacks.
1 months ago
Chrome Zero-Day Vulnerabilities Exploited and Patched in 2025
Google addressed a series of eight actively exploited zero-day vulnerabilities in its Chrome browser throughout 2025, with several of these flaws classified as high severity and posing significant risks to billions of users. The vulnerabilities primarily targeted critical components such as the V8 JavaScript engine, WebGPU, ANGLE graphics abstraction layer, Mojo inter-process communication framework, and Chrome’s Loader component. These flaws were exploited by sophisticated threat actors, including state-sponsored groups and commercial surveillance vendors, prompting Google to issue emergency updates and CISA to add all eight vulnerabilities to its Known Exploited Vulnerabilities catalog, mandating urgent remediation. The V8 JavaScript and WebAssembly engine was the most frequently targeted, accounting for half of the zero-days, while memory corruption issues in both V8 and WebGPU were specifically highlighted in emergency updates. The rapid response from Google’s Threat Analysis Group and the inclusion of these vulnerabilities in federal remediation directives underscore the critical nature of these exploits and the ongoing threat landscape facing Chrome users worldwide.
1 months ago
Chrome Zero-Day Vulnerability CVE-2025-13223 Exploited in the Wild
Google has released an emergency security update to address CVE-2025-13223, a critical zero-day vulnerability in the V8 JavaScript engine used by Chrome and Chromium-based browsers. This type confusion flaw, discovered by Clément Lecigne of Google’s Threat Analysis Group (TAG), allows attackers to achieve heap corruption and potentially execute arbitrary code simply by luring users to maliciously crafted websites. The vulnerability has been actively exploited in the wild, with Google confirming that threat actors are weaponizing it to bypass browser sandbox protections, steal credentials, escalate privileges, and deploy malware. The fix is included in Chrome version 142.0.7444.175/.176 for Windows, Mac, and Linux, and users are strongly urged to update and restart their browsers immediately to mitigate risk. Other Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, are also rolling out patches. The involvement of Google TAG suggests possible links to advanced persistent threats, highlighting the urgency for both individuals and enterprises to apply updates and monitor for suspicious activity.
1 months ago