Google has released an urgent security update for its Chrome browser after detecting active exploitation of a previously undisclosed, high-severity vulnerability—an incident that once again underscores how valuable browser-based zero-days have become to espionage groups and cybercriminals alike.
The flaw, tracked internally under the opaque identifier Chromium bug 466192044, appears to involve Google’s Almost Native Graphics Layer Engine (ANGLE), a graphics translation library used across Chrome and many other Chromium-based browsers. Although the company has not yet assigned a public CVE number or disclosed technical details, a related GitHub commit offers the clearest glimpse yet into the nature of the bug.
According to the commit message, the issue stems from improper buffer sizing in ANGLE’s Metal backend, a graphics layer used on Apple platforms. The code comments warn against relying on the pixelsDepthPitch parameter for buffer allocation, noting that it may be calculated from GL_UNPACK_IMAGE_HEIGHT—a value that can be smaller than the actual image height. That discrepancy can create conditions ripe for buffer overflows, a class of vulnerabilities long prized for enabling memory corruption and remote code execution.
Security researchers who reviewed the commit say the description strongly suggests a flaw that could allow attackers to hijack memory operations inside Chrome’s rendering pipeline. “Any overflow in a graphics subsystem—especially one that interfaces so closely with the GPU—can be extremely powerful,” said one researcher familiar with browser exploitation trends. “Chrome’s security model relies on isolation, but flaws in rendering engines often open pathways that bypass those sandboxes.”
A Familiar Pattern: Fix First, Disclose Later
Google acknowledged that “an exploit… exists in the wild” but withheld further details, including the threat actor, attack vector, and scope of the exploitation campaign. That decision follows a long-standing industry practice: limit disclosure until enough users have installed the update, reducing opportunities for copycat attacks.
The Chrome Security Team typically delays release of vulnerability details by several weeks—or longer—when exploitation is confirmed. As seen in previous campaigns, threat actors routinely reverse-engineer publicly released patches to develop their own exploits. In 2021, for example, Microsoft observed a spike in exploitation of patched Exchange Server flaws within days of public disclosure. Browser vendors have since become more cautious, especially as state-aligned cyber operations increasingly target browser engines due to their ubiquity and access to sensitive data.
The Broader Landscape: Eight Chrome Zero-Days Already This Year
The newly patched vulnerability brings Chrome’s 2025 tally of exploited or demonstrably exploitable zero-days to eight, adding to a growing list of memory-safety failures affecting the browser:
CVE-2025-2783 Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file. (Chromium security severity: High)
CVE-2025-4664 Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
CVE-2025-5419 Out of bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2025-6554 Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)
CVE-2025-6558 Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CVE-2025-10585 Type confusion in V8 in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2025-13223 Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
While the specifics of these vulnerabilities vary—from use-after-free errors to logic flaws in rendering subsystems—their frequency illustrates a broader truth: modern browsers remain among the most heavily targeted software products on earth. With billions of daily users and complex architectures incorporating graphics libraries, JavaScript engines, UI components, and extensions, browsers offer attackers an unparalleled attack surface.
This year’s number is consistent with a wider industry trend. Google’s own 2024 Threat Analysis Group report highlighted a steady rise in commercial spyware vendors exploiting browser zero-days, particularly those affecting Chrome and WebKit. Similarly, security firm Mandiant noted that nearly all major nation-state cyber programs now invest heavily in browser-based intrusion capabilities.
Two Additional Vulnerabilities Patched
Alongside the mysterious ANGLE flaw, Google’s latest security release also resolves two medium-severity vulnerabilities:
CVE-2025-14372 — Use-after-free in the Password Manager A flaw of this type could allow attackers to manipulate released memory, potentially exposing saved credentials.
CVE-2025-14373 — Inappropriate implementation in the Toolbar While details remain limited, improperly implemented UI components can create unexpected behavioral or privilege-related inconsistencies.
Neither issue is known to be exploited, but both represent components frequently scrutinized by researchers and malicious actors.
What Users Should Do Now
Google is urging users to update Chrome to version 143.0.7499.109/.110 on Windows and macOS, and 143.0.7499.109 on Linux. Updates typically install automatically, but users can force an update by navigating to:
Chrome Menu → Help → About Google Chrome → Relaunch
Because ANGLE is a core component across Chromium’s ecosystem, the security risk extends beyond Chrome itself. Microsoft Edge, Brave, Vivaldi, Opera, and numerous niche browsers will need to ship their own patches. Historically, most Chromium-based browsers follow within days of Chrome’s updates, though adoption speed varies.
Security experts emphasize that prompt updating is crucial, especially when active exploitation is confirmed. “Browser zero-days rarely stay exclusive to one actor for long,” said an analyst at the cybersecurity firm Recorded Future. “Once a vulnerability becomes known—publicly or privately—other adversaries scramble to weaponize it.”
Why Graphics Layers Matter More Than Ever
ANGLE’s role in this incident highlights a subtle but important shift in browser security: vulnerabilities are increasingly emerging not in obvious components like the JavaScript engine, but in supporting subsystems such as GPU abstraction layers, media codecs, and sandbox escape pathways.
Graphics translation libraries like ANGLE are particularly attractive because they manage memory-intensive operations, interact directly with hardware, and often rely on platform-specific backends (e.g., Metal on macOS, Direct3D on Windows). Even small miscalculations—like an undersized buffer—can expose deep and powerful exploitation pathways.
Modern exploits often chain multiple vulnerabilities—a renderer flaw to achieve memory corruption, a sandbox escape to break isolation, and a privilege escalation to seize control of the system. While nothing publicly suggests this exploit is part of a chain, experts caution that attackers rarely stop at a single flaw when pursuing high-value targets such as journalists, dissidents, or corporate executives.
A Growing Debate: Memory-Safe Languages vs. Legacy Codebases
The Chrome zero-day surge continues to feed a broader debate within the cybersecurity community: should foundational components of the browser ecosystem be rewritten in memory-safe languages like Rust or Swift?
Google has made gradual progress in shifting some Chrome subsystems toward Rust-based rewrites, but enormous portions of Chromium—including ANGLE—still rely on C++ codebases with decades of legacy decisions. Meanwhile, Microsoft has begun rewriting key Windows libraries in Rust, and Apple has expanded use of Swift for some low-level routines.
But rewriting massive, performance-sensitive components is neither fast nor straightforward. “You can’t just swap out a rendering engine,” noted one open-source contributor to WebKit. “It’s like replacing the chassis of a car while driving it at 70 miles an hour.”
Still, many security analysts argue that this latest zero-day reinforces the long-term need for more memory-safe approaches.
Conclusion
Google’s silent scramble to patch a high-severity flaw already being leveraged in real-world attacks is a reminder of the precarious balance between transparency, user safety, and the high-stakes world of zero-day exploitation. While the company’s rapid response limits the window of vulnerability for most users, the secrecy surrounding the bug—and the increasing pace of Chrome zero-days—signals that the battle for browser security is far from over.
Users should update Chrome immediately—and keep an eye out for patches from other Chromium-based browser vendors.
Click Link Below for an Alternative FREE service!
If you’ve been using Web Check to find vulnerabilities in your website, you’ll soon need a new way to stay on top of them.
So how do you keep the visibility without adding complexity? Intruder gives you broader coverage, proactive scanning when new threats emerge, and clear guidance on what to fix first.
🔥 If you’re looking for a smooth switch when Web Check sunsets, try Intruder for FREE HERE
Download The Ultimate NICS2 Compliance Self Assessment Toolkit