PT-2025-50966 · Google +4 · Google Chromium +6
Published
2025-12-10
·
Updated
2026-01-22
·
CVE-2025-14174
CVSS v3.1
8.8
8.8
High
| Base vector | Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
WebKitGTK versions 2.50.4-0ubuntu0.25.04.1 and earlier
Google Chrome versions prior to 143.0.7499.110
Microsoft Edge (Chromium-based) versions prior to 143.0.7499.110
Apple Safari, Apple iPhone OS, Apple iPadOS, Apple macOS, Apple tvOS, Apple watchOS versions prior to 26.2
Opera versions prior to 125.0.5729.49
Opera GX versions prior to 125.0.5729.47
Opera Air versions prior to 125.0.5729.39
Opera Neon versions prior to 125.0.5729.40
wpewebkit in SberLinux (affected versions not specified)
webkit2gtk in Debian (affected versions not specified)
Description
Multiple security issues were discovered in WebKitGTK, Google Chrome, Microsoft Edge, Apple Safari, Opera, and related browsers. These issues could allow a remote attacker to exploit various vulnerabilities, including cross-site scripting, denial of service, arbitrary code execution, and out-of-bounds memory access. A specific vulnerability, CVE-2025-14174, is an out-of-bounds memory access issue in ANGLE (an angle independent rendering library) within Google Chrome and Chromium-based browsers. This flaw could be exploited through a crafted HTML page, potentially leading to remote code execution. The vulnerability is actively exploited in the wild. Some reports indicate a race condition was also addressed through improved state handling. The vulnerability impacts the graphics rendering engine and can be triggered by malicious web content.
Recommendations
Update WebKitGTK to version 2.50.4-0ubuntu0.25.04.1 or later.
Update Google Chrome to version 143.0.7499.110 or later.
Update Microsoft Edge to version 143.0.7499.110 or later.
Update Apple Safari, Apple iPhone OS, Apple iPadOS, Apple macOS, Apple tvOS, and Apple watchOS to version 26.2 or later.
Update Opera to version 125.0.5729.49 or later.
Update Opera GX to version 125.0.5729.47 or later.
Update Opera Air to version 125.0.5729.39 or later.
Update Opera Neon to version 125.0.5729.40 or later.
Update the wpewebkit package in SberLinux.
Update the webkit2gtk package in Debian.
Fix
RCE
Memory Corruption
Buffer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com
Related Identifiers
CVE-2025-14174
DLA-4414-1
DSA-6083-1
RHSA-2025:23663
RHSA-2025:23700
RHSA-2025:23967
RHSA-2025:23968
RHSA-2025:23969
RHSA-2025:23970
RHSA-2025:23971
RHSA-2025:23972
RHSA-2025:23973
RHSA-2025:23974
USN-7957-1
Affected Products
Angle
Debian
Google Chrome
Google Chromium
Linuxmint
Apple Macos
Ubuntu
References · 127
- https://ubuntu.com/security/CVE-2025-43529 · Vendor Advisory
- https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_10.html · Security Note
- https://ubuntu.com/security/notices/USN-7957-1 · Vendor Advisory
- https://ubuntu.com/security/CVE-2025-43531 · Vendor Advisory
- https://ubuntu.com/security/CVE-2025-14174 · Vendor Advisory
- https://ubuntu.com/security/CVE-2025-43501 · Vendor Advisory
- https://ubuntu.com/security/CVE-2025-43541 · Vendor Advisory
- https://osv.dev/vulnerability/UBUNTU-CVE-2025-14174 · Vendor Advisory
- https://cve.org/CVERecord?id=CVE-2025-14174 · Security Note
- https://ubuntu.com/security/CVE-2025-43535 · Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-14174 · Security Note
- https://ubuntu.com/security/CVE-2025-43536 · Vendor Advisory
- https://osv.dev/vulnerability/USN-7957-1 · Vendor Advisory
- https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security · Security Note
- https://twitter.com/transilienceai/status/2000808264850956332 · Twitter Post