Cyber Posture

CVE-2025-14174

HighCISA KEVActive Exploitation

Published: 12 December 2025

Published
12 December 2025
Modified
15 December 2025
KEV Added
12 December 2025
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0035 57.6th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Description

Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly requires timely remediation through patching of the out-of-bounds memory access flaw in Chrome's ANGLE component, as listed in the CISA KEV catalog.

SI-16 Memory Protection partial match
prevent

Implements memory protection mechanisms such as ASLR and DEP that mitigate exploitation of the out-of-bounds memory access vulnerability.

RA-5 Vulnerability Monitoring and Scanning partial match
preventdetect

Enables vulnerability scanning to identify and remediate the presence of this known exploited Chrome vulnerability on systems.

Security SummaryAI

CVE-2025-14174 is an out-of-bounds memory access vulnerability in the ANGLE graphics component of Google Chrome on Mac, affecting versions prior to 143.0.7499.110. A remote attacker can trigger this issue via a crafted HTML page, leading to improper memory access. It maps to CWE-787 (Out-of-bounds Write) and CWE-119 (Buffer Overflow), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and Chromium security severity rated as High.

The vulnerability can be exploited by a remote attacker with no privileges required, though it depends on user interaction such as visiting a malicious site. Exploitation enables out-of-bounds memory access, potentially resulting in high-impact compromise of confidentiality, integrity, and availability without scope changes.

Mitigation is available through patching: Google Chrome users on Mac should update to version 143.0.7499.110 or later, as announced in the stable channel update for desktop on the Chrome Releases blog. Related details appear in the Chromium issue tracker at issues.chromium.org/issues/466192044 and Microsoft Edge security release notes. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities Catalog.

This issue has seen real-world exploitation, as indicated by its inclusion in the CISA catalog.

Details

CWE(s)
CWE-787CWE-119
KEV Date Added
12 December 2025

Affected Products

google
chrome
143.0.7499.41 — 143.0.7499.110 · 143.0.7499.40 — 143.0.7499.109 · ≤ 143.0.7499.40
apple
safari
≤ 26.2
apple
ipados
≤ 18.7.3 · 26.0 — 26.2
apple
iphone os
≤ 18.7.3 · 26.0 — 26.2
apple
macos
≤ 26.2
apple
tvos
≤ 26.2
apple
visionos
≤ 26.2
apple
watchos
≤ 26.2
microsoft
edge chromium
≤ 143.0.3650.80

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

This out-of-bounds memory access vulnerability in Chrome's ANGLE graphics component is exploited via a crafted HTML page, enabling remote code execution in a client application (web browser), directly mapping to Exploitation for Client Execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References