Fixing and finding
Jump to remediation plan
CVE ID

CVE-2025-14174

Published 2025-12-13
Updated 5 months ago
Vendor/s
Google
Product/s
Chromium
Version/s
143.0.7499.41 > 143.0.7499.110
KEV Status
Active Exploitation
Listed in CISA's Known Exploited Vulnerabilities catalogue. Active exploitation observed in the wild.
CVSS Score (v3.1)
8.8
/ 10
High
Severity Details
Base score
8.8 High
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Description

CVE-2025-14174 is a high-severity OOB memory access vulnerability in Chromium browsers being actively exploited. Update Chrome and Edge immediately.

CPE

Google logo
Google
Product Version Start Version End (excl.) Status
chrome 143.0.7499.41 143.0.7499.110 vulnerable
macos - - unaffected
chrome 143.0.7499.40 143.0.7499.109 vulnerable
linux_kernel - - unaffected
windows - - unaffected
chrome * 143.0.7499.40 vulnerable
safari * 26.2 vulnerable
ipados * 18.7.3 vulnerable
ipados 26.0 26.2 vulnerable
iphone_os * 18.7.3 vulnerable
iphone_os 26.0 26.2 vulnerable
macos * 26.2 vulnerable
tvos * 26.2 vulnerable
visionos * 26.2 vulnerable
watchos * 26.2 vulnerable
edge_chromium * 143.0.3650.80 vulnerable

Related weakness (CWE)

CWE-787, CWE-119

Remediation plan

1

Apply official patches

Immediately update Google Chrome, Microsoft Edge, and Apple Safari to the latest security releases. Google and Microsoft have released specific stable channel updates to address this memory corruption flaw in the ANGLE component.

2

Update affected systems

Ensure Google Chrome is updated to version 143.0.7499.110 or later and Microsoft Edge is updated to version 143.0.3650.80 or later. For Apple users, update macOS, iOS, and iPadOS to the latest versions to patch integrated web components.

3

Restrict access

Deploy web filtering and secure web gateways to block access to untrusted or known malicious domains. Since the attack vector requires user interaction with a crafted HTML page, reducing exposure to unverified sites mitigates the risk of exploitation.

4

Monitor for exploitation

Configure Endpoint Detection and Response (EDR) tools to alert on frequent browser renderer process crashes or unusual memory allocation patterns. Monitor for suspicious child processes being spawned by browser executables, which may indicate a successful OOB access exploit.

Detection Guidance

Detection should focus on identifying browser instability and crashes related to the ANGLE engine or GPU process. Security teams should analyze EDR telemetry for anomalous memory access patterns originating from chrome.exe, msedge.exe, or Safari processes. Additionally, review web proxy and firewall logs for traffic to suspicious domains immediately preceding browser crashes, as this vulnerability is triggered via network-delivered malicious HTML content.

References

https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_10.html Release Notes https://issues.chromium.org/issues/466192044 Permissions Required https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security Third Party Advisory https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14174 Third Party Advisory

Sources

NIST National Vulnerability Database (NVD)
CISA Known Exploited Vulnerabilities (KEV)

Experience superior visibility and a simpler approach to cyber risk management

Get a demo
Free trial