Google has patched its eighth actively exploited zero-day vulnerability in Chrome for 2025, continuing an unusually persistent trend of in-the-wild browser attacks this year.
The critical security update is now rolling out to users on Windows, macOS, and Linux via version 143.0.7499.109/.110.
The zero-day, tracked internally under issue ID [466192044], has no assigned CVE and no technical details have been disclosed at this time. Google confirmed that exploitation is occurring in the wild but withheld further information, likely to protect users while the patch propagates. This approach is consistent with Google’s disclosure policy, which delays public bug details until most users have received the update or until related third-party libraries are also secured.
No information has been released regarding the attack vector, affected components, or threat actors involved. The absence of a CVE and technical description suggests the vulnerability may involve a shared dependency or an especially sensitive browser component where early disclosure could increase the risk to users.
In addition to the actively exploited issue, Google addressed two medium-severity vulnerabilities in this update:
- CVE-2025-14372: A use-after-free bug in the Password Manager, reported on November 14, 2025, by Weipeng Jiang of the Vulnerability Research Institute (VRI).
- CVE-2025-14373: An inappropriate implementation flaw in the Toolbar, reported by independent researcher Khalil Zhani on November 18, 2025.
The patched build, 143.0.7499.109 for Linux and 143.0.7499.109/.110 for Windows and macOS, is being distributed via the Stable channel and will reach users automatically over the coming days and weeks.
Google Chrome remains the dominant desktop browser globally, with over 60% market share. Its widespread use makes it a prime target for attackers seeking to exploit zero-day vulnerabilities, particularly in components like V8, the browser’s JavaScript and WebAssembly engine, and other privileged modules such as the renderer or network stack.
This marks the eighth confirmed zero-day Chrome vulnerability patched in 2025, following a steady cadence of critical fixes. The previous flaw, CVE-2025-13223, was a high-severity type confusion bug in V8 reported by Clément Lecigne from Google’s Threat Analysis Group (TAG) in mid-November. That issue, like several others earlier in the year, could have enabled attackers to execute arbitrary code in the browser context, posing significant risk, particularly when chained with sandbox escape vulnerabilities.
Most of the earlier zero-days addressed this year were memory corruption issues, primarily type confusion or use-after-free bugs, exploitable through malicious web content. Several were discovered by Google’s internal security teams, including TAG and Project Zero, while others were reported by independent researchers or external research labs.
Given the continued wave of in-the-wild exploitation, users are strongly urged to update Chrome immediately. To apply the latest patch:
- Open Chrome and navigate to Settings > About Chrome
- The browser will automatically check for updates and download the latest version
- Restart Chrome to apply the fix
For enterprise environments, enabling automatic updates and enforcing browser version compliance through group policy is recommended to ensure timely mitigation across large fleets.
If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.
