Google has released an urgent security update for Chrome to fix a critical use-after-free (UAF) vulnerability (CVE-2025-9478) found in the ANGLE graphics library. This flaw could allow attackers to execute arbitrary code and potentially take over affected systems.
The issue impacts Chrome versions earlier than 139.0.7258.154/.155 across Windows, macOS, and Linux.
Discovery and Severity
The vulnerability was discovered on August 11, 2025, by Google’s Big Sleep AI-powered vulnerability research team. It has been rated with the highest CVSS score of 9.8 (Critical), highlighting the severe risk of exploitation.
Key Points
- Chrome 139.0.7258.154/.155 fixes the ANGLE UAF flaw.
- Affects GPU rendering on Windows, macOS, and Linux.
- Update immediately, and reinforce defenses using EDR, isolation, and CSP.
What is ANGLE and Why It Matters
ANGLE (Almost Native Graphics Layer Engine) translates OpenGL ES API calls into platform-specific graphics APIs such as Direct3D, Vulkan, and OpenGL. Since ANGLE is widely used for WebGL rendering, HTML5 Canvas, and GPU-accelerated graphics, a flaw in its memory handling exposes millions of users to risk.
Exploitation Method
Use-after-free vulnerabilities arise when software continues to use memory after it has been released. In this case, specially crafted web content could exploit improper memory deallocation routines in ANGLE, leading to arbitrary code execution with the privileges of Chrome’s renderer process.
A successful attack could escalate further, enabling sandbox escapes and full system compromise. Threat actors could weaponize this vulnerability through:
- Malicious websites
- Drive-by downloads
- Malvertising campaigns
Risk Summary
| Risk Factors | Details |
|---|---|
| Affected Products | Chrome Desktop ≤ 139.0.7258.153 (Windows, macOS, Linux) |
| Impact | Arbitrary code execution |
| Exploit Prerequisites | User visits malicious GPU-accelerated web content |
| CVSS 3.1 Score | 9.8 (Critical) |
Mitigation and Recommendations
- Update immediately to Chrome 139.0.7258.154 or later.
- Apply application allowlisting, network segmentation, and EDR monitoring.
- Use Content Security Policy (CSP) headers and browser isolation to reduce attack vectors.
- Monitor for suspicious indicators like unusual traffic patterns, abnormal memory use, or unexpected process spawning.
With the possibility of zero-day exploitation, organizations and end users should act quickly to patch systems and tighten defenses.
