The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical zero-day vulnerability in Google Chromium’s ANGLE graphics engine to its Known Exploited Vulnerabilities (KEV) catalog.
Tracked as CVE-2025-14174, the flaw allows remote attackers to trigger out-of-bounds memory access via a malicious HTML page, potentially leading to arbitrary code execution in browsers.
Discovered and patched just days ago, this vulnerability underscores ongoing threats to Chromium-based browsers dominating the web. Attackers could exploit it for drive-by compromises, data theft, or ransomware deployment, though CISA notes no confirmed ransomware ties yet. Federal agencies must apply mitigations by January 2, 2026, or discontinue affected products.
CVE-2025-14174 resides in ANGLE, Chromium’s OpenGL ES interface layer, where improper bounds checking allows memory corruption. A crafted webpage can invoke the flaw during rendering, bypassing sandbox protections in some scenarios.
The National Vulnerability Database (NVD) rates it high severity, with early CVSS v3.1 assessments pointing to remote code execution risks.
| CVE ID | Description | CVSS v3.1 Score | Affected Versions | Patched Versions |
|---|---|---|---|---|
| CVE-2025-14174 | Out-of-bounds memory access in ANGLE via HTML | 8.8 (High) | Chromium < 131.0.6778.200 | Chrome 131.0.6778.201+ Edge 131.0.3139.95+ |
No public indicators of compromise (IoCs) have surfaced, but threat actors are likely to chain it to phishing or malvertising.
CISA urges immediate patching per Binding Operational Directive (BOD) 22-01 for federal systems, especially cloud services. Organizations should scan for unpatched browsers, enforce automatic updates, and monitor for anomalous rendering crashes.
Google rolled out Stable Channel fixes on December 10, bumping Chrome to version 131.0.6778.201. Microsoft Edge followed with 131.0.3139.95, while Opera users should check vendor channels. “Users are advised to relaunch browsers post-update,” Google stated in its release notes.
This incident highlights Chromium’s vast attack surface, affecting over 70% of desktop browsers. Security teams worldwide should prioritize remediation amid rising zero-day exploits.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
