top of page
Search

Google Addresses Ninth Chrome Zero-Day Vulnerability Under Active Exploitation

  • Dec 11, 2025
  • 2 min read

Key Findings


  • Google addressed three vulnerabilities in the Chrome browser, including a high-severity bug already exploited in the wild.

  • Google tracked the high-severity vulnerability as Chromium issue 466192044, but did not share technical details.

  • The bug lies in the ANGLE graphics library, where buffer sizes were incorrectly calculated, leading to memory corruption, crashes, or potentially arbitrary code execution.

  • Google also fixed two medium-severity flaws: a use-after-free in Password Manager and an inappropriate implementation in Toolbar.

  • This year, Google has addressed seven other zero-day vulnerabilities actively exploited in the wild, including issues in the V8 JavaScript engine, Mojo, and ANGLE/GPU.


Background


Google regularly releases security updates for the Chrome browser to address vulnerabilities and protect users from active exploitation. This latest update is part of a series of emergency patches the company has issued in 2025 to fix zero-day flaws being actively targeted by threat actors.


High-Severity Zero-Day Vulnerability (Chromium Issue 466192044)


  • The high-severity vulnerability is tracked as Chromium issue 466192044, but Google did not disclose the technical details.

  • The bug lies in the ANGLE graphics library, specifically its Metal renderer, where buffer sizes were incorrectly calculated using `pixelsDepthPitch`, derived from `GL_UNPACK_IMAGE_HEIGHT`.

  • This can lead to buffer overflows, resulting in memory corruption, crashes, or potentially arbitrary code execution.

  • Google acknowledged that an exploit for this vulnerability exists in the wild, indicating it is being actively exploited by attackers.


Medium-Severity Vulnerabilities


  • CVE-2025-14372 (Use-after-free in Password Manager, $2,000 bounty)

  • Reported by Weipeng Jiang (@Krace) of VRI on 2025-11-14

  • CVE-2025-14373 (Inappropriate implementation in Toolbar, $2,000 bounty)

  • Reported by Khalil Zhani on 2025-11-18


Previous Chrome Zero-Days Addressed in 2025


  • CVE-2025-6554 (Type confusion in V8)

  • CVE-2025-10585 (Type confusion in V8)

  • CVE-2025-6558 (Insufficient validation of untrusted input in ANGLE and GPU)

  • CVE-2025-5419 (Out-of-bounds read and write in V8)

  • CVE-2025-4664 (Chrome browser vulnerability leading to account takeover)

  • CVE-2025-2783 (Incorrect handle in Mojo on Windows)

  • CVE-2025-13223 (Type confusion in V8)


Sources


  • https://securityaffairs.com/185566/hacking/google-fixed-a-new-actively-exploited-chrome-zero-day.html

  • https://securityonline.info/emergency-chrome-update-google-patches-new-zero-day-under-active-attack/

  • https://www.bleepingcomputer.com/news/security/google-fixes-eighth-chrome-zero-day-exploited-in-attacks-in-2025/

  • https://cyberinsider.com/google-fixes-eighth-actively-exploited-chrome-zero-day-of-2025/

  • https://www.securityweek.com/google-patches-mysterious-chrome-zero-day-exploited-in-the-wild/

  • https://threatprotect.qualys.com/2025/12/11/google-patches-zero-day-vulnerability-exploited-in-attack/

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page