High

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical zero-day vulnerability in Google Chromium’s ANGLE graphics engine to its Known Exploited Vulnerabilities (KEV) catalog. Tracked as CVE-2025-14174, this flaw enables remote attackers to trigger out-of-bounds memory access via a malicious HTML page, potentially leading to arbitrary code execution in Chromium-based browsers. Although no confirmed ransomware links have been reported, the vulnerability poses significant risks for drive-by compromises, data theft, or integration into broader attack chains. Federal agencies are mandated to apply mitigations by January 2, 2026, or discontinue use of the affected products.

CVE-2025-14174 resides in ANGLE, Chromium’s OpenGL ES interface layer, where improper bounds checking allows memory corruption. Exploitation can occur when a crafted webpage invokes the flaw during rendering, potentially bypassing sandbox protections in certain scenarios. The National Vulnerability Database (NVD) assigns it a high severity rating, with CVSS v3.1 scores of 8.8, indicating serious remote code execution risks. Affected versions include Chromium prior to 131.0.6778.200, while patched versions are available for Chrome (131.0.6778.201+), Edge (131.0.3139.95+), and other Chromium-based browsers.

While no public indicators of compromise (IoCs) have surfaced, experts warn that threat actors may exploit this vulnerability through phishing campaigns, malvertising, or other attack vectors. Security teams are advised to scan environments for unpatched browsers, enforce automatic updates, and monitor for anomalous crashes or unusual rendering behavior. Google and Microsoft have already released patched versions, with Chrome fixed on December 10 and Edge following shortly after. Opera users and other Chromium derivatives are recommended to check their vendor channels and apply updates promptly.

This incident highlights the expansive attack surface of Chromium, which powers over 70% of desktop browsers worldwide. Organizations should prioritize remediation to mitigate risks from zero-day exploits targeting widely used software. Immediate patching, monitoring, and adherence to CISA directives remain critical to defend against potential compromises and maintain cybersecurity resilience amid rising zero-day activity.