CVE-2025-14174

What is Chrome's ANGLE Graphics Layer?

ANGLE (Almost Native Graphics Layer Engine) is Google's open-source library that translates OpenGL ES calls to native graphics APIs: Direct3D (Windows), Metal (macOS), Vulkan (Linux/Android/ChromeOS), and OpenGL desktop. Chrome uses ANGLE to render GPU-accelerated web content — WebGL, CSS effects, video, and 2D canvas operations. All Chromium-based browsers (Chrome, Edge, Opera, Brave, Vivaldi) use ANGLE, making ANGLE vulnerabilities universally impactful across the Chromium ecosystem.

Overview

CVE-2025-14174 is an out-of-bounds memory access vulnerability (CWE-787) in Chrome's ANGLE library affecting macOS specifically. Processing maliciously crafted web content with GPU-intensive operations causes ANGLE to access memory beyond its allocated buffer on macOS, potentially enabling code execution within the Chrome GPU process. The vulnerability was exploited as a zero-day before the patch shipped on December 10, 2025. CISA added it to the KEV catalog two days later with a New Year's Day-adjacent deadline.

Affected Versions

macOS-specific: The out-of-bounds memory access affects Chrome's ANGLE Metal backend (macOS uses Metal for GPU rendering). Windows and Linux Chromium users are unaffected by this specific CVE.

Technical Details

The out-of-bounds memory access (CWE-787) occurs in ANGLE's macOS Metal backend during processing of GPU rendering commands generated from web content (WebGL, CSS GPU effects, HTML canvas operations). A crafted HTML page containing malicious WebGL or Canvas operations triggers ANGLE to write or read beyond an allocated buffer in the GPU process.

Exploitation chain context:

1. Victim visits a malicious or compromised web page in Chrome for macOS
2. Page's JavaScript/WebGL triggers the ANGLE OOBM vulnerability in Chrome's GPU process
3. Memory corruption in the GPU process may enable code execution within the Chrome GPU sandbox
4. A sandbox escape (separate vulnerability) would be needed to achieve full OS-level code execution

Chrome's GPU process is less sandboxed than the renderer process, making GPU vulnerabilities a valuable stepping stone in exploit chains even without immediate full sandbox escape.

Discovery

Zero-day exploitation confirmed before patch release. Reporter not publicly disclosed at patch time.

Exploitation Context

CISA's same-day KEV listing (December 12 — patch day December 10) indicates confirmed exploitation in the wild before the patch shipped. The macOS-specific scope suggests targeted attacks against macOS users — consistent with commercial surveillance tools and nation-state actors that maintain macOS exploit chains.

Remediation

1. Update Chrome on macOS to 143.0.7499.110 or later immediately. Check Chrome menu → Help → About Google Chrome. The CISA deadline was January 2, 2026.
2. Update all Chromium-based browsers on macOS: Edge, Brave, Opera, Vivaldi — all use ANGLE and need vendor-specific updates.
3. Only macOS users are affected by this specific CVE — Windows and Linux Chromium users need not take action for CVE-2025-14174 specifically (though unrelated Chrome security updates should still be applied).
4. Enable automatic Chrome updates to receive future zero-day fixes without manual intervention.