top of page
Search

Google Addresses Ninth Chrome Zero-Day Vulnerability Under Active Exploitation

  • Dec 11, 2025
  • 2 min read

Key Findings


  • Google addressed three vulnerabilities in the Chrome browser, including a high-severity bug already exploited in the wild.

  • Google tracked the high-severity vulnerability as Chromium issue 466192044, but did not share technical details.

  • The bug lies in the ANGLE graphics library, where buffer sizes were incorrectly calculated, leading to memory corruption, crashes, or potentially arbitrary code execution.

  • Google also fixed two medium-severity flaws: a use-after-free in Password Manager and an inappropriate implementation in Toolbar.

  • This year, Google has addressed seven other zero-day vulnerabilities actively exploited in the wild, including issues in the V8 JavaScript engine, Mojo, and ANGLE/GPU.


Background


Google regularly releases security updates for the Chrome browser to address vulnerabilities and protect users from active exploitation. This latest update is part of a series of emergency patches the company has issued in 2025 to fix zero-day flaws being actively targeted by threat actors.


High-Severity Zero-Day Vulnerability (Chromium Issue 466192044)


  • The high-severity vulnerability is tracked as Chromium issue 466192044, but Google did not disclose the technical details.

  • The bug lies in the ANGLE graphics library, specifically its Metal renderer, where buffer sizes were incorrectly calculated using `pixelsDepthPitch`, derived from `GL_UNPACK_IMAGE_HEIGHT`.

  • This can lead to buffer overflows, resulting in memory corruption, crashes, or potentially arbitrary code execution.

  • Google acknowledged that an exploit for this vulnerability exists in the wild, indicating it is being actively exploited by attackers.


Medium-Severity Vulnerabilities


  • CVE-2025-14372 (Use-after-free in Password Manager, $2,000 bounty)

  • Reported by Weipeng Jiang (@Krace) of VRI on 2025-11-14

  • CVE-2025-14373 (Inappropriate implementation in Toolbar, $2,000 bounty)

  • Reported by Khalil Zhani on 2025-11-18


Previous Chrome Zero-Days Addressed in 2025


  • CVE-2025-6554 (Type confusion in V8)

  • CVE-2025-10585 (Type confusion in V8)

  • CVE-2025-6558 (Insufficient validation of untrusted input in ANGLE and GPU)

  • CVE-2025-5419 (Out-of-bounds read and write in V8)

  • CVE-2025-4664 (Chrome browser vulnerability leading to account takeover)

  • CVE-2025-2783 (Incorrect handle in Mojo on Windows)

  • CVE-2025-13223 (Type confusion in V8)


Sources


  • https://securityaffairs.com/185566/hacking/google-fixed-a-new-actively-exploited-chrome-zero-day.html

  • https://securityonline.info/emergency-chrome-update-google-patches-new-zero-day-under-active-attack/

  • https://www.bleepingcomputer.com/news/security/google-fixes-eighth-chrome-zero-day-exploited-in-attacks-in-2025/

  • https://cyberinsider.com/google-fixes-eighth-actively-exploited-chrome-zero-day-of-2025/

  • https://www.securityweek.com/google-patches-mysterious-chrome-zero-day-exploited-in-the-wild/

  • https://threatprotect.qualys.com/2025/12/11/google-patches-zero-day-vulnerability-exploited-in-attack/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page