Google has released an emergency security update for Chrome to address a critical use-after-free vulnerability (CVE-2025-9478) in the ANGLE graphics library that could allow attackers to execute arbitrary code on compromised systems.
The vulnerability affects Chrome versions prior to 139.0.7258.154/.155 across Windows, Mac, and Linux platforms.
The security flaw was discovered by Google’s Big Sleep AI-powered vulnerability research team on August 11, 2025, and has been assigned the highest CVSS severity rating.
Key Takeaways
1. Chrome 139.0.7258.154/.155 patches critical ANGLE UAF.
2. Impacts GPU rendering on Windows, Mac & Linux.
3. Update now; use EDR, isolation & CSP to block exploits.
Chrome’s Stable Channel Update, released on August 26, 2025, addresses this critical memory corruption issue through automatic updates rolling out globally.
Critical Chrome ANGLE Vulnerability
The vulnerability resides within Chrome’s ANGLE (Almost Native Graphics Layer Engine) library, which translates OpenGL ES API calls to hardware-specific graphics APIs, including Direct3D, Vulkan, and native OpenGL.
Use-after-free vulnerabilities occur when a program continues to use a memory pointer after the memory has been deallocated, creating opportunities for heap manipulation and memory corruption attacks.
In this specific case, the flaw in ANGLE’s memory management routines could be exploited through maliciously crafted web content that triggers improper memory deallocation sequences.
Successful exploitation would allow attackers to achieve arbitrary code execution with the privileges of the Chrome renderer process, potentially leading to sandbox escape and full system compromise.
The vulnerability is particularly concerning due to ANGLE’s widespread usage across web applications that utilize WebGL rendering, HTML5 Canvas operations, and GPU-accelerated graphics processing.
Attackers could leverage drive-by download attacks, malicious advertisements, or compromised websites to deliver exploit payloads targeting this memory corruption flaw.
| Risk Factors | Details |
| Affected Products | Chrome Desktop (≤ 139.0.7258.153) on Windows, Mac, Linux |
| Impact | Arbitrary code execution |
| Exploit Prerequisites | User opens malicious web content with GPU acceleration |
| CVSS 3.1 Score | 9.8 (Critical) |
Mitigations
Organizations should prioritize the immediate deployment of Chrome version 139.0.7258.154 or later to mitigate exploitation risks.
The update includes comprehensive patches for the ANGLE library’s memory management functions and enhanced heap protection mechanisms to prevent similar use-after-free conditions.
Security teams should implement application allowlisting, network segmentation, and endpoint detection and response (EDR) solutions to detect potential exploitation attempts.
Additionally, organizations should consider deploying Content Security Policy (CSP) headers and browser isolation technologies to limit the attack surface for web-based exploits targeting this vulnerability class.
Given the critical nature of this flaw and its potential for zero-day exploitation, security professionals should monitor for unusual network traffic patterns, unexpected process spawning, and anomalous memory allocation behaviors that may indicate active exploitation attempts against unpatched Chrome installations.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
