CVE-2025-9478: Google Chrome Patches Critical Use-After-Free Vulnerability
Google has released an emergency update for Chrome to address a critical vulnerability, CVE-2025-9478, in the ANGLE graphics library. The flaw, a use-after-free error discovered on August 11 by the Google Big Sleep team, allows attackers to execute arbitrary code via specially crafted WebGL or Canvas operations. Merely visiting a malicious webpage is enough for the browser to overwrite memory and run foreign code with the privileges of the current user—opening the door to malware installation, data theft, and further compromise of corporate networks, a scenario particularly dangerous for businesses and high-value targets.
The fix is available in Chrome Stable 139.0.7258.154/.155 for Windows and macOS, and 139.0.7258.154 for Linux. Updates are distributed automatically, but Google strongly urges users to accelerate installation. For enterprise environments with strict change controls, MSI packages and an Enterprise Bundle are provided to streamline deployment.
The root of the problem lies in ANGLE, the component responsible for translating OpenGL ES calls into native graphics APIs. Due to the bug, freed memory could be reused, allowing an attacker to replace its contents. If successfully exploited, this results in arbitrary code execution, making the vulnerability a powerful vehicle for drive-by attacks—requiring only a single visit to a compromised site. Potential consequences include the deployment of spyware, ransomware, and other persistence tools aimed at infiltrating the victim’s infrastructure.
Google advises administrators not to delay updates and to closely monitor proxy and endpoint logs for anomalies related to WebGL and graphics APIs. It also recommends strict adherence to the principle of least privilege and warns users against clicking on unknown links, particularly those containing interactive graphical content.
Details of exploitation techniques for CVE-2025-9478 have not yet been disclosed, giving most users time to patch their systems. Google underscores the importance of external vulnerability reporting and continues to offer bug bounty rewards, reinforcing collaboration between security researchers and developers to safeguard open-source projects.
