Google has released an emergency update for Chrome to address a critical vulnerability (cve-2025-9478) in the Angle library. This vulnerability, known as a “use-after-free” error, was discovered on August 11 by the Google Big Sleep command. It allows attackers to execute arbitrary code through specially prepared webgl- or webg Canvas operations. Exploiting this flaw could lead to the installation of malware, data theft, and unauthorized access to corporate networks, posing a significant threat to companies and valuable targets.
The updates are available in Chrome Stable version 139.0.7258.154/.155 for Windows and MacOS, as well as version 139.0.7258.154 for Linux. While distribution happens automatically, Google strongly advises users to expedite the installation. Corporate system administrators are offered MSI packages and Enterprise Bundle for easier deployment and management.
The vulnerability stems from the Angle component, responsible for transmitting OpenGL ES calls into native graphic APIs. The flaw allows released memory to be recycled, enabling attackers to manipulate its contents and execute arbitrary code. This turns the vulnerability into a potent tool for drive-by attacks, where simply visiting an infected site is sufficient. Potential repercussions include the deployment of espionage tools, ransomware, and other malicious software to compromise victims’ infrastructure.
Google urges administrators to promptly apply the updates and monitor for any anomalies related to WebGL and graphic APIs. It is also essential to uphold the principle of least privilege and educate users about the risks of interacting with unknown links, particularly those containing interactive graphics.
Further details about the cve-2025-9478 operation have not been disclosed to provide time for most users to take action. Google emphasizes the significance of reporting external error messages and continues to reward the discovery of bugs, fostering collaboration between researchers and developers to enhance the security of open projects.