Google on Wednesday shipped security updates for its Chrome browser to address three security flaws, including one it said has come under active exploitation in the wild.
The vulnerability, rated high in severity, is being tracked under the Chromium issue tracker ID "466192044." Unlike other disclosures, Google has opted to keep information about the CVE identifier, the affected component, and the nature of the flaw under wraps.
However, a GitHub commit for the Chromium bug ID has revealed that the issue resides in Google's open-source Almost Native Graphics Layer Engine (ANGLE) library, with the commit message stating "Metal: Don't use pixelsDepthPitch to size buffers. pixelsDepthPitch is based on GL_UNPACK_IMAGE_HEIGHT, which can be smaller than the image height."
This indicates the problem is likely a buffer overflow vulnerability in ANGLE's Metal renderer triggered by improper buffer sizing, which could lead to memory corruption, program crashes, or arbitrary code execution.
"Google is aware that an exploit for 466192044 exists in the wild," the company noted, adding that more details are "under coordination."
Naturally, the tech giant has also not disclosed any specifics on the identity of the threat actor behind the attacks, who may have been targeted, or the scale of such efforts.
This is typically done so as to ensure that a majority of the users have applied the fixes and to prevent other bad actors from reverse engineering the patch and developing their own exploits.
With the latest update, Google has addressed eight zero-day flaws in Chrome that have been either actively exploited or demonstrated as a proof-of-concept (PoC) since the start of the year. The list includes CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, CVE-2025-6554, CVE-2025-6558, CVE-2025-10585, and CVE-2025-13223.
Also addressed by Google are two other medium-severity vulnerabilities -
- CVE-2025-14372 - Use-after-free in Password Manager
- CVE-2025-14373 - Inappropriate implementation in Toolbar
To safeguard against potential threats, it's advised to update their Chrome browser to versions 143.0.7499.109/.110 for Windows and Apple macOS, and 143.0.7499.109 for Linux. To make sure the latest updates are installed, users can navigate to More > Help > About Google Chrome and select Relaunch.
Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to apply the fixes as and when they become available.
Flaw Now Tracked as CVE-2025-14174
The vulnerability has now been assigned the CVE identifier CVE-2025-14174 (CVSS score: 8.8), with Google describing it as an out-of-bounds memory access in ANGLE. It credited Apple Security Engineering and Architecture (SEAR) and Google Threat Analysis Group (TAG) for reporting the issue on December 5, 2025.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added it to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by January 2, 2026.
"Google Chromium contains an out-of-bounds memory access vulnerability in ANGLE that could allow a remote attacker to perform out-of-bounds memory access via a crafted HTML page," CISA said.
(The story was updated after publication on December 13, 2025, to include details of the CVE.)
