Navigation section

Chrome/Chromium Patch for CVE-2025-10502 ANGLE Heap Overflow — Patch Now

  • Thread Author
Google and the Chromium project have released an emergency patch for a newly assigned Chromium CVE — CVE‑2025‑10502, a heap buffer overflow in the ANGLE graphics translation layer — and administrators and end users must treat this as a high‑priority browser update task while verifying downstream ingestion for Chromium‑based browsers such as Microsoft Edge. (cybersecurity-help.cz) (tenable.com)

Chrome patch update screen with CVE-2025-10502 warning and a progress bar.Background​

ANGLE (Almost Native Graphics Layer Engine) is a widely used compatibility layer that translates WebGL and other GPU APIs to platform‑specific driver calls. Because ANGLE sits between untrusted web content (JavaScript/WebGL) and system GPU drivers, memory‑safety defects in ANGLE carry outsized risk: they can produce heap corruption inside privileged renderer or GPU processes and — in the worst case — be chained toward sandbox escape and arbitrary code execution. This structural risk is why ANGLE bugs are regularly treated as high‑priority fixes by the Chromium security team.
Chromium security teams assigned CVE‑2025‑10502 after an internal report from the Google team identified a boundary error that can be triggered by specially crafted HTML/WebGL content. The vulnerability has been described as a heap buffer overflow (CWE‑122) in ANGLE; the bug allows a remote attacker to cause out‑of‑bounds writes when the renderer processes maliciously crafted content served via a web page. Public advisories list the issue as high severity and recommend immediate updates to patched Chrome builds. (cybersecurity-help.cz) (intruceptlabs.com)

What the bulletin says — concise summary​

  • Vulnerability: CVE‑2025‑10502 — Heap buffer overflow in ANGLE (CWE‑122). (cybersecurity-help.cz)
  • Trigger: Processing of specially crafted HTML/WebGL content that exercises ANGLE code paths. (cybersecurity-help.cz)
  • Affected upstream Chromium range (reported in public trackers): Chromium builds beginning at 140.0.7339.0 through roughly 140.0.7339.158 (the precise boundary is reported by multiple vulnerability trackers). (cybersecurity-help.cz)
  • Patch: Google released a Stable channel update that includes the fix in Chrome 140.0.7339.185/.186 for Windows/macOS and 140.0.7339.185 for Linux. Users are urged to update immediately. (techradar.com)
  • Exploit status: No public proof‑of‑concept or confirmed widespread exploitation of CVE‑2025‑10502 has been published as of the initial advisories; however, it was released alongside a separate actively exploited zero‑day in V8 (CVE‑2025‑10585), increasing urgency for patching. Treat public claims of exploitation for CVE‑2025‑10502 as unverified unless vendor or incident response teams publish evidence. (intruceptlabs.com)

Technical overview — how ANGLE buffer overflows become dangerous​

What a heap buffer overflow means in this context​

A heap buffer overflow occurs when code writes beyond the boundaries of a dynamically allocated buffer. In the ANGLE rendering code, this can happen when parsing or allocating GPU resource structures, translating shader or texture metadata, or processing complex WebGL state transitions. A crafted web page can exercise specific sequences of GL calls and resource lifetimes so that the renderer writes past an allocated buffer and corrupts adjacent heap memory. If attackers can influence the corruptible region and subsequent allocations (heap grooming), they may gain control over program flow or data used by privileged operations.

Why ANGLE defects matter more than typical DOM bugs​

  • ANGLE acts as a bridge to system GPU drivers; corrupted GPU state or driver interaction can broaden the attack surface beyond JavaScript engine bugs.
  • Browser mitigations (sandboxing, ASLR, CFI) make exploitation harder, but low‑level graphics bugs historically have been used as stepping stones for reliable exploitation and sandbox escape.
  • Some ANGLE defects can be triggered indirectly — for example, by thumbnailing, background rendering, or other non‑interactive content parsing — increasing exposure.

Typical exploitation chain (high level)​

  • Attacker crafts a web page with malicious WebGL/HTML payload designed to hit the ANGLE boundary condition.
  • Victim navigates to or previews the page; browser hands untrusted content to ANGLE.
  • Heap overflow corrupts nearby heap metadata or function pointers inside the renderer/GPU process.
  • Using heap grooming and targeted overwrites, the attacker attempts to convert memory corruption into code execution in the renderer.
  • If successful, the attacker may attempt to escalate via a second vulnerability or leverage insufficient sandboxing to reach the host. (intruceptlabs.com)

Affected products and versions​

  • Primary upstream: Google Chrome / Chromium. Public vulnerability trackers list affected Chromium builds from roughly 140.0.7339.0 up through 140.0.7339.158. Administrators should treat any Chromium binary in that range as vulnerable until patched. (cybersecurity-help.cz)
  • Patched upstream releases: Chrome 140.0.7339.185/.186 (Windows/macOS) and 140.0.7339.185 (Linux) include the fix and are rolling out via the Stable channel. Organizations should confirm that endpoints have upgraded to these or later builds. (techradar.com)
  • Downstream browsers: Microsoft Edge (Chromium‑based) and other Chromium derivatives (Brave, Opera, Vivaldi, Electron‑packaged apps) inherit the same underlying ANGLE code. Edge does not automatically receive upstream Chromium fixes until Microsoft ingests and ships the corresponding Chromium revision; Edge administrators must verify the Edge build they run contains Chromium ingestion that maps to Chrome 140.0.7339.185+. Microsoft records Chromium‑assigned CVEs in the Security Update Guide and updates Edge after internal ingestion and testing. (msrc.microsoft.com)
Important operational note: embedded or packaged Chromium binaries (for example, Electron apps, kiosks, or locked images) that do not auto‑update may remain vulnerable even after desktop browsers update. Inventory such binaries separately.
Click to expand...

Vendor response timeline and what was released​

Google pushed a Stable channel update on September 17–18, 2025 that included fixes for four high‑severity issues: a V8 zero‑day (CVE‑2025‑10585), two use‑after‑free bugs in WebRTC and Dawn (CVE‑2025‑10501 and CVE‑2025‑10500), and the ANGLE heap overflow (CVE‑2025‑10502). Google’s public release notes intentionally withhold detailed technical information for some bugs until the patch reaches a wide audience to reduce risk of immediate exploitation. The stable builds enumerated were 140.0.7339.185/.186 for Windows/macOS and 140.0.7339.185 for Linux. (techradar.com)
Microsoft’s public guidance for Edge follows the usual pattern: Chromium‑assigned CVEs are tracked in the Microsoft Security Update Guide once Microsoft ingests the Chromium changes and rolls them into Edge releases. Edge administrators should consult the Security Update Guide entry for CVE‑2025‑10502 and check edge://settings/help to confirm the local Edge version and the Chromium ingestion used by that build. (msrc.microsoft.com)

Risk assessment — who should worry most​

  • Home users: Moderate to high risk if running an unpatched Chrome build in the affected range. Update your browser now; the attack requires visiting a malicious page, but threat actors commonly weaponize browser bugs in drive‑by style attacks and malicious ads. (intruceptlabs.com)
  • Enterprise fleets with delayed updates (image freezing, staged rollouts): High risk. Enterprises often have larger exposure due to a mixture of endpoints, legacy images, and embedded apps. Inventory, prioritize, and accelerate deployment to the most exposed user groups.
  • Edge/Chromium derivative admins: Moderate to high risk until ingestion is confirmed. Edge will be safe only after Microsoft ingests the patched Chromium revision and publishes the corresponding Edge build. Do not assume immediate parity with Chrome; confirm ingestion and plan an out‑of‑band update if your organization requires it.
  • Embedded Chromium (Electron apps, kiosks): High risk if pinned to vulnerable Chromium binaries. These are commonly overlooked in browser patch cycles and require separate patching steps.
Exploitability: Public reports to date do not document a confirmed exploit specifically attributed to CVE‑2025‑10502, though the release coincided with a separate actively exploited zero‑day in V8 (CVE‑2025‑10585). The coexistence of multiple high‑severity fixes in the same release increases urgency; absence of a public PoC does not equal safety. Treat CVE‑2025‑10502 as weaponizable and patch accordingly. (cybersecurity-help.cz)

Immediate actions — what every user and admin should do now​

For home and small‑business users​

  • Update Chrome immediately: open Chrome → Settings → Help → About Google Chrome and allow the browser to download and install Chrome 140.0.7339.185/.186 (or newer) and restart. This is the single most effective mitigation. (techradar.com)
  • If you use Microsoft Edge, check for updates at edge://settings/help. Confirm the Edge build’s Chromium ingestion once Microsoft has released its update. Do not assume Edge is patched simply because Chrome has been updated upstream. (msrc.microsoft.com)
  • Consider temporarily disabling WebGL or hardware acceleration if you cannot patch immediately — this reduces ANGLE attack surface but may break WebGL‑dependent sites. Use this only as a short‑term compensating control.

For enterprise IT and security teams​

  • Inventory and prioritize:
  • Query deployed Chrome/Chromium and Edge versions across the fleet. Flag any installations older than Chrome 140.0.7339.185. Use existing management tools (WSUS, MECM, Intune, Jamf, or third‑party patch managers) to build a targeted patch plan.
  • Identify any Electron or embedded Chromium binaries in apps, kiosks, or images; these often need manual replacement or rebuild.
  • Deploy and verify:
  • Stage the patched browser in a pilot group (to detect compatibility regressions with internal web apps, particularly WebGL content).
  • Push the update out-of-band for high‑priority endpoints (admins, remote access terminals, kiosks).
  • Verify post‑deployment by scanning inventory and confirming version numbers. Use vendor scanner plugins (Qualys, Tenable, Nessus) that incorporate the Chrome 140 advisory. (tenable.com)
  • Hardening and compensations:
  • Enforce Enhanced Security Mode or site isolation features for high‑risk user groups.
  • Temporarily block untrusted or risky sites through web proxies or allowlist only for sensitive workstations.
  • Ensure endpoint detection and response (EDR) sensors are updated to detect exploitation attempts and post‑exploit artifacts.

Microsoft Edge specifics: ingestion, testing, and verification​

Microsoft’s Edge release process for Chromium‑assigned CVEs follows three broad steps: upstream Chromium fix → ingestion and internal testing by Microsoft → Edge build release. This means there is an operational lag between Google shipping a Chrome fix and Edge receiving the same fix in a supported Edge build. Microsoft publicly records Chromium CVEs in the Security Update Guide and administrators should confirm ingestion by checking the Edge build’s change log or the Security Update Guide entry for CVE‑2025‑10502. (msrc.microsoft.com)
Operational checklist for Edge admins:
  • Check edge://settings/help to get the local Edge version.
  • Compare the Edge version to the Microsoft ingestion evidence in the Security Update Guide for CVE‑2025‑10502. (msrc.microsoft.com)
  • If your environment requires immediate parity with Google Chrome and Microsoft has not yet published a patched Edge build, consider temporary mitigations (restrict untrusted browsing, disable WebGL on high‑risk endpoints) while planning expedited ingestion once Microsoft releases the Edge update.

Wider implications: ANGLE, GPU drivers, and long‑term risk​

ANGLE remains a recurring source of impactful security advisories for Chromium. Several past CVEs — heap overflows, use‑after‑free, and out‑of‑bounds writes — have originated in ANGLE or related graphics stacks, and these issues are notably attractive to advanced adversaries. The reasons include:
  • The GPU path touches privileged driver code and can create complex attack surfaces not present in pure JavaScript bugs.
  • Hardware diversity increases the chances that certain driver interactions will amplify a software bug into a more powerful exploit.
  • Many web pages, ads, or platform features can trigger graphics decoding or rendering without explicit user interaction (thumbnailing, autoplay), increasing exposure vectors.
For long‑term risk reduction, browser vendors and platforms are increasing investment in memory‑safety tooling (fuzzers, sanitizers, hardened allocators) and architectural mitigations (isolation of GPU processes). Organizations should also reduce attack surface by employing policies that minimize unnecessary browser privileges for administrative users and by keeping EDR/UEBA capabilities tuned to detect exploit patterns. (chromereleases.googleblog.com)

Verifiability and caveats​

  • Multiple independent vulnerability trackers and security vendors (Tenable, Qualys, AhnLab, Cybersecurity‑Help) corroborate the existence of CVE‑2025‑10502, its classification as a heap buffer overflow in ANGLE, and the Chrome builds that include the fix. Cross‑checks show Chrome’s stable release builds 140.0.7339.185/.186 as the remedial versions. These facts are supported by Google’s Stable Channel advisory and by mainstream security vendors’ bulletins. (cybersecurity-help.cz)
  • The claim of active exploitation applies to a separate CVE in the same release set (CVE‑2025‑10585 in V8). As of initial reporting, CVE‑2025‑10502 has no confirmed PoC or published exploitation evidence. Treat exploitation status for CVE‑2025‑10502 as unverified unless future reporting from vendors or incident responders confirms active abuse. (intruceptlabs.com)
  • Some public sources list a range of affected builds that vary slightly between trackers. Administrators should rely on vendor‑provided version boundaries where possible, but when vendor boundaries are not explicit, err on the side of caution and assume earlier builds in the same milestone line are vulnerable until patched. (cybersecurity-help.cz)

Recommended patch and mitigation playbook (concise)​

  • For all users: Update Chrome to 140.0.7339.185/.186 (Windows/macOS) or 140.0.7339.185 (Linux) and restart the browser immediately. (techradar.com)
  • For Edge users: Check for Microsoft Edge updates and confirm the Edge build includes Chromium ingestion for the patched Chrome 140 release; if not yet ingested, apply compensating controls (disable WebGL on high‑risk endpoints, block untrusted sites). (msrc.microsoft.com)
  • For enterprises:
  • Inventory browser versions and embedded Chromium binaries.
  • Stage and pilot patched builds, then accelerate rollout.
  • Update detection rules and network controls to monitor for exploitation indicators.
  • Patch Electron and other packaged apps that bundle Chromium.

Final analysis — strengths of the vendor response and residual risks​

Google’s rapid release of a stable Chrome update that bundles multiple high‑severity fixes — including the ANGLE heap overflow — demonstrates a strong security posture for Chromium: prompt triage, targeted stable‑channel updates, and coordination with external vendors and trackers. The inclusion of a zero‑day fix (CVE‑2025‑10585) alongside the ANGLE patch increased urgency, and Google’s choice to withhold detailed exploit information until users received the update aligns with responsible disclosure practices. (techradar.com)
However, residual operational risk remains:
  • Downstream lag: Chromium‑based browsers such as Microsoft Edge must ingest and test the Chromium changes before shipping; that lag creates a window where users of those browsers can remain exposed. Administrators must verify ingestion rather than assume parity.
  • Embedded/pinned Chromium: Applications that embed a pinned Chromium binary (Electron apps, custom kiosks) are easy to overlook and may remain vulnerable after mainstream browsers are patched. These require special remediation workflows.
  • Complex exploitability: While there is no public PoC for CVE‑2025‑10502 at publication, ANGLE bugs have historically been part of multi‑stage exploit chains. Treat the vulnerability as weaponizable and prioritize patching and detection.

Conclusion​

CVE‑2025‑10502 is a high‑priority heap buffer overflow in ANGLE that has been addressed in Chrome’s 140.0.7339.185/.186 branch. Immediate action is straightforward for Chrome users — update to the patched Stable build and restart — but organizations must do more: validate Edge ingestion, inventory embedded Chromium instances, and apply compensating controls where immediate patching is impractical. Given the historical potency of ANGLE defects and the concurrent release of an actively exploited V8 zero‑day, treating this advisory as an urgent patching and verification task is the prudent security posture. (cybersecurity-help.cz)
Source: MSRC Security Update Guide - Microsoft Security Response Center
 

Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Article Article
Patch CVE-2025-9478: Critical ANGLE UAF in Chromium—Update Chrome 139+ and Edge
Replies
0
Views
310
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CVE-2025-8879: Chrome Patch Fixes libaom AV1 Heap Overflow
Replies
0
Views
363
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Patch Chrome 139.0.7258.127: Fix for ANGLE CVE-2025-8901
Replies
0
Views
500
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CVE-2025-10200: Chrome ServiceWorker UAF – Patch Now to Prevent Exploitation
Replies
0
Views
433
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Chrome Patch Fixes Dawn WebGPU UAF CVE-2025-10500; Edge Ingestion Reminder
Replies
0
Views
13
ChatGPT
ChatGPT
Back
Top