Google Patches Chrome Zero-Day CVE-2025-14174 Exploited in Wild

Google has released an emergency Chrome 143 update to close a zero-day flaw, now tracked as CVE-2025-14174, that the company says is already being abused in real-world attacks. The bug first surfaced with no CVE and only an internal tracker ID (466192044), and it has since been linked to two Apple zero-days patched around the same time — a coincidence that points toward a coordinated, cross-platform operation. Anyone running Chrome should confirm they are on version 143 or later and relaunch the browser immediately.

What is actually confirmed about CVE-2025-14174

When Google initially pushed the fix, it published almost nothing about the underlying issue. The vulnerability was rated high severity and flagged as "under coordination" — an uncommon status that indicates the disclosure is still being managed alongside outside parties, typically other vendors or government agencies, before the full story is released.

Google withheld the name of the reporting researcher and never identified which part of the browser was affected. That degree of secrecy is unusual even for zero-day advisories and quickly attracted scrutiny from the research community. The flaw was later assigned CVE-2025-14174 and connected to two freshly patched Apple zero-days, which suggests a single exploit chain or threat actor was going after both platforms at once.

As of this writing, Google has not publicly confirmed the affected browser component, the exact attack vector, or a CVSS score. Treat any specific component attribution circulating online as unverified until Google or NVD publishes the full record.

The likely class of bug (historical pattern, not confirmation)

It's worth being explicit: the following is the historical pattern for exploited Chrome zero-days, not a confirmed description of this one. Most in-the-wild Chrome zero-days have landed in the V8 JavaScript engine, and they tend to fall into one of two categories:

Type confusion — V8 misinterprets the type of a JavaScript object, opening the door to out-of-bounds reads or writes.
Use-after-free — memory that was already released is referenced again, which can lead to arbitrary code execution or a sandbox break.

Both classes can be developed into remote code execution or a sandbox escape, where simply loading a malicious page is enough to compromise the system with little to no user interaction. Again, Google has not stated that CVE-2025-14174 belongs to either category — this is context, not attribution.

The cross-platform angle

The most notable detail in this disclosure is the tie between CVE-2025-14174 and the two Apple zero-days fixed in the same window. Exploit chains that span multiple vendors are a signature of commercial spyware operators and nation-state groups, who pour resources into full-device compromise capabilities that won't collapse the moment one vendor ships a patch.

Pairing a Chrome renderer exploit with an operating-system-level Apple bug can let an attacker break out of the browser sandbox and establish lasting access to the device, whether it runs macOS or iOS. That kind of engineering investment is far beyond opportunistic crime and is characteristic of state-sponsored espionage. Spyware platforms historically associated with vendors like NSO Group and Intellexa are known to buy up multi-vendor, multi-platform chains precisely to widen their reach.

The other two bugs fixed in Chrome 143

Alongside the actively exploited zero-day, Chrome 143 resolved two medium-severity issues:

Use-after-free in the password manager — a defect in the component responsible for storing and autofilling credentials. The reporter received a $2,000 bounty.
Inappropriate implementation in the toolbar — a logic error in the browser's UI layer, also rewarded with $2,000.

Neither appears to have been exploited, but a use-after-free in a credential-handling component is worth patching quickly given the obvious potential for credential theft.

Why this looks targeted rather than widespread

The way Google handled the initial disclosure — no CVE, no component, no researcher credit — fits a narrowly targeted attack far better than mass exploitation. When zero-days are caught being deployed against a handful of high-value people, such as journalists, dissidents, or officials, vendors and intelligence agencies frequently coordinate the release to avoid alerting the attacker before victims can be warned. The concurrent Apple patches reinforce that interpretation.

A note on the circulating "PoC"

A GitHub repository (Satirush/CVE-2025-14174-Poc) claims to host a working proof-of-concept for this CVE, describing it as a memory-corruption flaw (CWE-119, out-of-bounds access) in the ANGLE graphics engine reachable through crafted WebGL or shader content.

Treat this repository with extreme caution. Its description reads like clout/marketing copy rather than a researcher's write-up — for example, it claims the exploit "works reliably even on patched versions" and "bypasses common mitigations," which is internally incoherent and a well-known hallmark of fake or malicious "PoC" repos. None of its technical claims (including the ANGLE/CWE-119 attribution and the EUVD-2025-203113 alias) are corroborated by an authoritative advisory at the time of writing, so do not download, run, or cite it as fact. We mention it only so readers recognize and avoid it.

How to make sure you're protected

Chrome usually updates itself, but verify manually right now:

Go to Menu → Help → About Google Chrome.
Confirm the version reads Chrome 143 or newer.
Restart the browser if an update is staged — the fix does not take effect until Chrome relaunches.

Enterprise admins should prioritize the Chrome 143 rollout through their endpoint management tooling and review browser telemetry for unusual JavaScript or GPU/rendering activity that could signal pre-patch exploitation.

Part of a 2025 trend

CVE-2025-14174 is one of several actively exploited Chrome zero-days Google has fixed in 2025. Chrome's dominant market share keeps it squarely in the crosshairs of both criminal and state-backed actors, and the V8 engine — despite hardening work such as MiraclePtr and memory tagging — remains a large and complex attack surface. The recurring lesson is straightforward: browser security is not finished, and even heavily audited code still yields flaws that well-funded attackers can find first.

Bottom line

A zero-day that began with essentially no public detail has hardened into evidence of a coordinated, cross-platform espionage effort, underscored by Apple's simultaneous patches. That profile — expensive multi-vendor chains used sparingly against select targets — argues for treating any unpatched Chrome install as a real risk. Update to Chrome 143 now, and ignore the unverified "PoC" circulating on GitHub.