Active Exploitation of Undisclosed Chrome Zero-Day Vulnerability
Google has released urgent security updates for the Chrome browser to address a high-severity vulnerability that is being actively exploited in the wild. The flaw, tracked internally as issue 466192044, remains undisclosed in terms of its technical details, affected component, and CVE identifier, as Google is withholding this information to protect users while patches are deployed. Alongside this critical issue, two other medium-severity vulnerabilities—CVE-2025-14372 (use-after-free in Password Manager) and CVE-2025-14373 (inappropriate implementation in Toolbar)—were also fixed. Users of Chrome and other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are strongly advised to update to the latest versions to mitigate risk.
Security researchers have identified that the actively exploited vulnerability involves type confusion issues in Chrome’s V8 JavaScript engine, which can allow attackers to manipulate memory and potentially execute arbitrary code simply by luring users to malicious or compromised websites. With Chrome’s vast user base, the exposure is significant, and attackers are known to exploit such flaws before most users have updated. Google and security experts emphasize the importance of promptly applying browser updates and restarting Chrome to ensure protection against these in-the-wild attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
CISA adds CVE-2025-14174 to the KEV catalog
CISA added CVE-2025-14174 to its Known Exploited Vulnerabilities catalog after the flaw was confirmed as exploited in the wild. The listing formally elevated the urgency for organizations to remediate the Chrome issue.
Exploited Chrome flaw is assigned CVE-2025-14174
After the initial advisory, the actively exploited issue was assigned CVE-2025-14174 and described as an out-of-bounds memory access in ANGLE on Mac exploitable via a crafted HTML page. This clarified the technical nature of the previously unnamed zero-day.
Google withholds technical details on the exploited flaw
When releasing the patch, Google declined to publish full technical details, affected-user information, or threat-actor attribution for the zero-day to reduce the risk of further exploitation before users updated. Early advisories referred to the issue only as Chromium issue 466192044 rather than a CVE.
Google releases emergency Chrome update for exploited zero-day
On December 10, 2025, Google issued an out-of-band Chrome security update fixing three flaws, including an actively exploited high-severity zero-day in the ANGLE Metal renderer. The update brought Chrome to 143.0.7499.109/.110 on Windows and macOS and 143.0.7499.109 on Linux, while also patching CVE-2025-14372 and CVE-2025-14373.
Apple and Google researchers discover Chrome zero-day in ANGLE
A Chrome zero-day later tracked as Chromium issue 466192044 was discovered by Apple's security engineering team and Google's Threat Analysis Group. The joint discovery suggested the bug may have been used in a targeted campaign associated with government-backed or mercenary spyware actors.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
Google and Apple roll out emergency security updates after zero-day attacks
databreaches.net
Open sourceUpdate Now: Chrome Browser Vulnerable to Mysterious But Active Attack
au.pcmag.com
Open sourceGoogle fixes super-secret 8th Chrome 0-day
theregister.com
Open sourceGoogle fixes super-secret 8th Chrome 0-day
go.theregister.com
Open sourceGoogle Warns of Chrome 0-Day Vulnerability Actively Exploited in the wild
cybersecuritynews.com
Open sourceGoogle Chrome security advisory (AV25-829)
cyber.gc.ca
Open source[updated]Another Chrome zero-day under attack: update now
malwarebytes.com
Open sourceGoogle fixed a new actively exploited Chrome zero-day
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Chrome Zero-Day Vulnerability CVE-2025-13223 Exploited in the Wild
Google has released an emergency security update to address CVE-2025-13223, a critical zero-day vulnerability in the V8 JavaScript engine used by Chrome and Chromium-based browsers. This type confusion flaw, discovered by Clément Lecigne of Google’s Threat Analysis Group (TAG), allows attackers to achieve heap corruption and potentially execute arbitrary code simply by luring users to maliciously crafted websites. The vulnerability has been actively exploited in the wild, with Google confirming that threat actors are weaponizing it to bypass browser sandbox protections, steal credentials, escalate privileges, and deploy malware. The fix is included in Chrome version 142.0.7444.175/.176 for Windows, Mac, and Linux, and users are strongly urged to update and restart their browsers immediately to mitigate risk. Other Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, are also rolling out patches. The involvement of Google TAG suggests possible links to advanced persistent threats, highlighting the urgency for both individuals and enterprises to apply updates and monitor for suspicious activity.
Mar 21, 2026
Google Patches Two Actively Exploited Chrome Zero-Day Vulnerabilities
Google released emergency Chrome updates to fix two **high-severity zero-day vulnerabilities**, `CVE-2026-3909` and `CVE-2026-3910`, that are being **exploited in the wild**. Advisory reporting says the flaws can enable **data manipulation** and **security restriction bypass**, prompting a **high-risk** assessment. Google has not disclosed attack details, indicating access to technical information may remain restricted until more users have installed the fixes. Technical reporting identifies `CVE-2026-3909` as an **out-of-bounds write** in **Skia**, Chrome’s graphics library, and `CVE-2026-3910` as an **inappropriate implementation** issue in the **V8 JavaScript and WebAssembly engine**. Google said both were patched within days of being reported, with fixes rolling out to the Stable Desktop channel for **Windows `146.0.7680.75`**, **macOS `146.0.7680.76`**, and **Linux `146.0.7680.75`**. The company warned that full update deployment may take days or weeks, making prompt browser updates important while exploitation is ongoing.
Apr 2, 2026
Google Chrome Zero-Day Vulnerability Patched Amid Active Exploitation
Google has released an emergency security update for Chrome to address a newly discovered zero-day vulnerability that was actively exploited in the wild. This marks the eighth zero-day flaw patched in Chrome in 2025, with the latest vulnerability identified as a buffer overflow in the open-source LibANGLE library, specifically affecting the Metal renderer. The flaw could allow attackers to achieve memory corruption, crash the browser, leak sensitive information, or execute arbitrary code. The update is being rolled out to users on Windows, macOS, and Linux, though Google notes that full deployment may take several days or weeks. Google has withheld detailed technical information and the CVE identifier for the vulnerability to protect users until a majority have updated their browsers. The company confirmed that exploits for the vulnerability were observed in the wild and urges users to update Chrome as soon as possible. Users can either manually update their browsers or rely on automatic updates, which will apply the patch after the next browser restart.
Mar 21, 2026