Google has released an urgent security update for the Chrome Stable channel to address a critical use-after-free vulnerability in the ANGLE graphics library that could allow attackers to execute arbitrary code on vulnerable systems.
The fixes arrive as part of Chrome Stable versions 139.0.7258.154/.155 on Windows and macOS, and 139.0.7258.154 on Linux. Users are advised to update immediately, as the patch will roll out automatically over the coming days and weeks.
Background and Impact
The flaw, tracked as CVE-2025-9478, was discovered by the Google Big Sleep team on August 11, 2025. It resides in the ANGLE component, which translates OpenGL ES calls to native graphics API calls on various platforms.
A malicious website exploiting this vulnerability could trigger a use-after-free condition, whereby memory is reused after being freed.
By carefully crafting WebGL or Canvas operations, an attacker could corrupt the browser’s memory and achieve remote code execution with the privileges of the current user.
| CVE ID | Severity | Description | Reported Date |
| CVE-2025-9478 | Critical | Use-after-free leading to code exec | 2025-08-11 |
Given ANGLE’s central role in Chrome’s rendering pipeline across desktop and mobile platforms, exploitation could be scripted in a drive-by download scenario: a victim simply needs to visit a compromised or maliciously crafted webpage.
Successful exploitation may allow attackers to install malware, steal data, or pivot deeper into a corporate network, making this flaw especially dangerous for high-value targets and enterprise users.
Mitigation and Recommendations
Google’s security team has already deployed the fix in the latest Stable builds. Administrators managing large deployments should ensure that version 139.0.7258.154/.155 is pushed without delay.
For organizations with strict change management procedures, Chrome’s enterprise bundle and MSI installers are available to facilitate offline or staged rollouts.
In addition to updating Chrome, security teams should:
- Monitor proxy and endpoint logs for unusual WebGL or graphics API call patterns.
- Enforce principle of least privilege to limit the impact of a compromised browser process.
- Educate users about the dangers of visiting untrusted websites, especially those that host WebGL content.
Google continues to support collaborative discovery by offering rewards for externally reported bugs.
While details of CVE-2025-9478 remain restricted until the majority of users receive the fix, the acknowledgment of the external researcher underscores the value of public–private partnerships in securing open-source projects.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
