What happened

CISA added CVE-2025-14174 to the Known Exploited Vulnerabilities catalog, confirming in-the-wild exploitation of a Chromium graphics-path bug CISA KEV. The entry describes an out-of-bounds memory access in ANGLE that a remote attacker can trigger using a crafted HTML page NVD detail. The CVE record is published and tracked by MITRE as CVE-2025-14174 MITRE CVE.

Per the KEV catalog, federal agencies must remediate per vendor guidance under Binding Operational Directive timelines; this item was added 2025-12-12 with a due date of 2026-01-02 CISA KEV. The affected product is listed as Google Chromium, meaning multiple Chromium-based browsers (e.g., Chrome, Edge, Opera) likely inherit exposure until their upstream patch is applied NVD detail.

Why it matters

Chromium underpins a large percentage of enterprise browsers, so a memory-safety bug in a shared rendering/graphics layer can present a wide attack surface across fleets NVD detail. The attack is remote and web-reachable: a crafted HTML page can trigger the out-of-bounds access, making opportunistic exploitation via web content plausible wherever unpatched browsers are allowed to render untrusted pages CISA KEV. KEV inclusion signals observed exploitation by adversaries, so defenders should assume active probing and opportunistic hits against lagging endpoints CISA KEV.

Because the vulnerable component sits in Chromium’s pipeline, any downstream browser that tracks stable Chromium drops is on the hook to ship updates; organizations that treat “Chrome-only” patching as sufficient may still be exposed via other Chromium-based browsers until each vendor release lands NVD detail. For government operators, the KEV due date defines the maximum acceptable exposure window; for everyone else, it’s the SLA you should copy CISA KEV.

Technical detail

The vulnerability is characterized as an out-of-bounds memory access in ANGLE reachable from web content, triggered by a crafted HTML page NVD detail. Out-of-bounds access defects are memory-safety violations that occur when code reads or writes outside intended buffers; in browser graphics paths, malformed inputs derived from web content can steer execution into illegal memory regions MITRE CVE. In this case, the reachable condition is tied to Chromium’s handling of content that exercises ANGLE, mediated by HTML-rendered artifacts NVD detail.

CISA’s move to KEV indicates real-world exploitation, but public records do not enumerate exploit primitives, sandbox impact, or post-exploitation steps; defenders should treat it as a memory-safety bug with web-triggered reachability and prioritize patching across all Chromium-based browsers CISA KEV. The canonical CVE tracking remains live at MITRE and should be monitored for updates to references or analysis MITRE CVE.

Operationally, browse-time indicators for memory-safety exploitation attempts can include abrupt renderer terminations, GPU/utility process crashes, or abnormal browser restarts while visiting a specific page set; treat clusters of such signals during web sessions as suspicious until patched fleetwide NVD detail.

Defense

• Patch fast. Deploy the latest stable releases for all Chromium-based browsers across managed platforms; prioritize Chrome, Edge, and any OEM Chromium derivatives in your org’s catalog CISA KEV.
• Enforce update compliance. Use device management to block or quarantine endpoints running browser builds older than your approved fixed versions; gate internet access for noncompliant versions until remediated NVD detail.
• Inventory breadth, not brand. Enumerate every Chromium-based browser installed (including embedded app-browsers) and map them to upstream Chromium patch levels to avoid blind spots MITRE CVE.
• Monitor for crash telemetry. Alert on repeated renderer/GPU process crashes, especially when correlated to specific URLs or ad networks, and auto-isolate the session while you verify patch state NVD detail.
• Control exposure during rollout. If needed, restrict access to untrusted web content categories until patch compliance reaches target thresholds; prefer allowlists for high-risk roles CISA KEV.
• For FCEB operators, follow BOD 22-01 timelines: remediate by the KEV due date (2026-01-02) or apply vendor-recommended mitigations where patching is not immediately possible CISA KEV.

Track the CVE entries for any updates to references or vendor guidance as additional details are published MITRE CVE. Keep KEV in your continuous controls as a policy-based accelerator for patch SLAs and exception handling CISA KEV.

Lyrie Verdict

This is a web-reachable, actively exploited Chromium memory-safety bug. Treat it as a machine-speed threat vector. Lyrie binds KEV exposure into autonomous controls: we continuously resolve browser inventory to upstream Chromium lineage, flag CVE-2025-14174 risk, and auto-enforce isolation for outdated builds until remediated CISA KEV. Our detectors watch for browser crash clusters indicative of memory-safety abuse during page rendering and cut sessions pre-exploitation, not after triage NVD detail. We ship kill-switch policies tied to KEV entries so fleets don’t wait on human review before suppressing exploit traffic and forcing patch compliance windows MITRE CVE.