Cyber Resilience

CVE-2025-14174

HighCISA KEVActive ExploitationEUVD Exploited

Published: 12 December 2025

Published
12 December 2025
Modified
15 December 2025
KEV Added
12 December 2025
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0027 50.3th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14174 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 49.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2025-14174 is an out-of-bounds memory access vulnerability in the ANGLE graphics component of Google Chrome on Mac, affecting versions prior to 143.0.7499.110. A remote attacker can trigger this issue via a crafted HTML page, leading to improper memory access. It maps to CWE-787 (Out-of-bounds Write) and CWE-119 (Buffer Overflow), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and Chromium security severity rated as High.

The vulnerability can be exploited by a remote attacker with no privileges required, though it depends on user interaction such as visiting a malicious site. Exploitation enables out-of-bounds memory access, potentially resulting in high-impact compromise of confidentiality, integrity, and availability without scope changes.

Mitigation is available through patching: Google Chrome users on Mac should update to version 143.0.7499.110 or later, as announced in the stable channel update for desktop on the Chrome Releases blog. Related details appear in the Chromium issue tracker at issues.chromium.org/issues/466192044 and Microsoft Edge security release notes. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities Catalog.

This issue has seen real-world exploitation, as indicated by its inclusion in the CISA catalog.

EU & UK References

Vulnerability details

Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

CWE(s)
KEV Date Added
12 December 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

This out-of-bounds memory access vulnerability in Chrome's ANGLE graphics component is exploited via a crafted HTML page, enabling remote code execution in a client application (web browser), directly mapping to Exploitation for Client Execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3909Same product: Apple Macosboth on KEV
CVE-2026-3910Same product: Apple Macosboth on KEV
CVE-2025-13223Same product: Apple Macosboth on KEV
CVE-2026-5281Same product: Apple Macosboth on KEV
CVE-2025-10585Same product: Apple Macosboth on KEV
CVE-2025-12727Same product: Apple Macos
CVE-2026-9965Same product: Apple Macos
CVE-2026-2441Same product: Apple Macosboth on KEV
CVE-2025-43529Same product: Apple Ipadosboth on KEV
CVE-2025-31277Same product: Apple Ipadosboth on KEV

Affected Assets

google
chrome
143.0.7499.41 — 143.0.7499.110 · 143.0.7499.40 — 143.0.7499.109 · ≤ 143.0.7499.40
apple
safari
≤ 26.2
apple
ipados
≤ 18.7.3 · 26.0 — 26.2
apple
iphone os
≤ 18.7.3 · 26.0 — 26.2
apple
macos
≤ 26.2
apple
tvos
≤ 26.2
apple
visionos
≤ 26.2
apple
watchos
≤ 26.2
microsoft
edge chromium
≤ 143.0.3650.80

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation through patching of the out-of-bounds memory access flaw in Chrome's ANGLE component, as listed in the CISA KEV catalog.

prevent

Implements memory protection mechanisms such as ASLR and DEP that mitigate exploitation of the out-of-bounds memory access vulnerability.

preventdetect

Enables vulnerability scanning to identify and remediate the presence of this known exploited Chrome vulnerability on systems.

References