The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added a important zero-day vulnerability in Google Chromium’s ANGLE graphics engine to its Identified Exploited Vulnerabilities (KEV) catalog.
Tracked as CVE-2025-14174, the flaw permits distant attackers to set off out-of-bounds reminiscence entry by way of a malicious HTML web page, probably resulting in arbitrary code execution in browsers.
Found and patched simply days in the past, this vulnerability underscores ongoing threats to Chromium-based browsers dominating the net. Attackers might exploit it for drive-by compromises, information theft, or ransomware deployment, although CISA notes no confirmed ransomware ties but. Federal businesses should apply mitigations by January 2, 2026, or discontinue affected merchandise.
CVE-2025-14174 resides in ANGLE, Chromium’s OpenGL ES interface layer, the place improper bounds checking permits reminiscence corruption. A crafted webpage can invoke the flaw throughout rendering, bypassing sandbox protections in some eventualities.
The Nationwide Vulnerability Database (NVD) charges it excessive severity, with early CVSS v3.1 assessments pointing to distant code execution dangers.
CVE IDDescriptionCVSS v3.1 ScoreAffected VersionsPatched VersionsCVE-2025-14174Out-of-bounds reminiscence entry in ANGLE by way of HTML8.8 (Excessive)Chromium < 131.0.6778.200Chrome 131.0.6778.201+Edge 131.0.3139.95+
No public indicators of compromise (IoCs) have surfaced, however menace actors are more likely to chain it to phishing or malvertising.
CISA urges rapid patching per Binding Operational Directive (BOD) 22-01 for federal programs, particularly cloud companies. Organizations ought to scan for unpatched browsers, implement computerized updates, and monitor for anomalous rendering crashes.
Google rolled out Secure Channel fixes on December 10, bumping Chrome to model 131.0.6778.201. Microsoft Edge adopted with 131.0.3139.95, whereas Opera customers ought to examine vendor channels. “Customers are suggested to relaunch browsers post-update,” Google said in its launch notes.
This incident highlights Chromium’s huge assault floor, affecting over 70% of desktop browsers. Safety groups worldwide ought to prioritize remediation amid rising zero-day exploits.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
