Chrome Targeted by Active In-the-Wild Exploit Tied to Undisclosed High-Severity Flaw - The Hacker News

Chrome Targeted by Active In-the-Wild Exploit Tied to Undisclosed High-Severity Flaw Ravie LakshmananDec 11, 2025Zero-Day / Vulnerability Google on Wednesday shipped security updates for its Chrome browser to address three security flaws, including one it said has come under active exploitation in the wild. The vulnerability, rated high in severity, is being tracked under the Chromium issue tracker ID "466192044." Unlike other disclosures, Google has opted to keep information about the CVE identifier, the affected component, and the nature of the flaw under wraps. However, a GitHub commit for the Chromium bug ID has revealed that the issue resides in Google's open-source Almost Native Graphics Layer Engine (ANGLE) library, with the commit message stating "Metal: Don't use pixelsDepthPitch to size buffers. pixelsDepthPitch is based on GL_UNPACK_IMAGE_HEIGHT, which can be smaller than the image height." This indicates the problem is likely a buffer overflow vulnerability in ANGLE's Metal renderer triggered by improper buffer sizing, which could lead to memory corruption, program crashes, or arbitrary code execution. "Google is aware that an exploit for 466192044 exists in the wild," the company noted, adding that more details are "under coordination." Naturally, the tech giant has also not disclosed any specifics on the identity of the threat actor behind the attacks, who may have been targeted, or the scale of such efforts. This is typically done so as to ensure that a majority of the users have applied the fixes and to prevent other bad actors from reverse engineering the patch and developing their own exploits. With the latest update, Google has addressed eight zero-day flaws in Chrome that have been either actively exploited or demonstrated as a proof-of-concept (PoC) since the start of the year. The list includes CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, CVE-2025-6554, CVE-2025-6558, CVE-2025-10585, and CVE-2025-13223. Also addressed by Google are two other medium-severity vulnerabilities - CVE-2025-14372 - Use-after-free in Password Manager CVE-2025-14373 - Inappropriate implementation in Toolbar To safeguard against potential threats, it's advised to update their Chrome browser to versions 143.0.7499.109/.110 for Windows and Apple macOS, and 143.0.7499.109 for Linux. To make sure the latest updates are installed, users can navigate to More > Help > About Google Chrome and select Relaunch. Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to apply the fixes as and when they become available. Flaw Now Tracked as CVE-2025-14174 The vulnerability has now been assigned the CVE identifier CVE-2025-14174 (CVSS score: 8.8), with Google describing it as an out-of-bounds memory access in ANGLE. It credited Apple Security Engineering and Architecture (SEAR) and Google Threat Analysis Group (TAG) for reporting the issue on December 5, 2025. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added it to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by January 2, 2026. "Google Chromium contains an out-of-bounds memory access vulnerability in ANGLE that could allow a remote attacker to perform out-of-bounds memory access via a crafted HTML page," CISA said. (The story was updated after publication on December 13, 2025, to include details of the CVE.) Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cybersecurity, Google Chrome, Patch Management, software security, Vulnerability, web browser, zero-day Trending News ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Load More ▼ Popular Resources Identity Controls Checklist: Find Missing Protections in Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026