Patch CVE-2025-9478: Critical ANGLE UAF in Chromium—Update Chrome 139+ and Edge

Chromium security teams patched a critical use‑after‑free vulnerability in the ANGLE graphics translation layer tracked as CVE‑2025‑9478, and every Windows and enterprise administrator who manages Chromium‑based browsers — including Microsoft Edge — should verify and deploy the fixes immediately to close a potentially remote, web‑delivered attack path. (cvedetails.com) (tenable.com)

Background​

ANGLE (Almost Native Graphics Layer Engine) is the cross‑platform component that translates WebGL and OpenGL ES calls into native graphics API calls on Windows and other platforms. Because ANGLE sits between untrusted web content (JavaScript and WebGL) and GPU drivers, memory‑safety bugs in ANGLE can be attractive to attackers: they often allow heap corruption, renderer compromise, and — when chained with other primitives — sandbox escape. The Chromium team classified this specific issue in ANGLE as a memory corruption use‑after‑free (CWE‑416), which can be triggered remotely via a crafted HTML page. (cvedetails.com) (security-tracker.debian.org)
Google released a stable‑channel update that includes the fix for CVE‑2025‑9478 as part of the Chrome 139 branch; independent trackers and security vendors list the affected versions as Chrome builds prior to 139.0.7258.154 and recommend upgrading to 139.0.7258.154 or later. (chromereleases.googleblog.com) (tenable.com)
Microsoft Edge, being Chromium‑based, inherits upstream Chromium fixes only after Microsoft ingests and ships the updated Chromium components. Microsoft publicly records Chromium‑assigned CVEs in its Security Update Guide and coordinates ingestion into Edge builds; administrators should confirm their Edge builds contain the Chromium 139 ingestion that corresponds to the Chrome fix.

---

What CVE‑2025‑9478 is (technical overview)​

The vulnerability at a glance​

• Type: Use‑after‑free (CWE‑416) in the ANGLE component.
• Trigger: Crafted HTML/WebGL content delivered via a web page.
• Impact: Heap corruption that may lead to arbitrary code execution within the browser renderer process; could be chained to attempt sandbox escape.
• Affected upstream range: Google Chrome versions prior to 139.0.7258.154. (tenable.com) (cvedetails.com)

A use‑after‑free occurs when the program frees a memory object but later dereferences a stale pointer to that memory. In the ANGLE context, rendering or WebGL resource lifetimes are complex — a carefully crafted sequence of API calls or resource state transitions in a malicious page can free an object while other references remain, enabling an attacker to manipulate subsequent allocations and control the contents of the freed slot (heap grooming). If the corrupted memory is used in a privileged operation, that can lead to code execution inside the renderer process. (security.snyk.io)

Why ANGLE bugs are high value​

ANGLE mediates between the browser and system GPU drivers. Graphics drivers operate in privileged contexts and are distinct across hardware vendors, making the attack surface rich and varied. Browser mitigations (sandboxing, ASLR, CFI) raise the bar for exploitation, but ANGLE bugs have historically been used to craft reliable exploitation chains because a compromised graphics path can interact with the OS and GPU driver in ways that pure JavaScript bugs cannot. That combination makes ANGLE an attractive target for attackers seeking remote code execution or sandbox escapes. (chromereleases.googleblog.com)

---

Timeline and vendor actions​

• Google Chromium security teams assigned CVE‑2025‑9478 and released a Chrome stable update that includes the ANGLE fix. The Chrome Releases notices for the 139 branch record security patches in the stable channel update series. (chromereleases.googleblog.com)
• Public vulnerability aggregators (Tenable, CVE Details, Debian security tracker, CVE‑related portals) published entries that list the affected versions and mark the issue as high/critical severity, advising upgrades to the patched 139.0.7258.154+ builds. (tenable.com) (cvedetails.com) (security-tracker.debian.org)
• Microsoft documents Chromium‑assigned CVEs in the Security Update Guide and updates Edge downstream as soon as ingestion and internal testing are complete; Edge administrators must confirm the specific Edge build they run.

Cross‑verification of the key facts — the nature of the bug, affected version boundary, and the availability of a Chrome update — is present across the Chrome Releases advisory and independent trackers, which aligns with responsible disclosure practices where technical exploit details are intentionally limited until many users receive the fix. (chromereleases.googleblog.com) (tenable.com)

---

Who is affected​

• Desktop users running Google Chrome versions older than 139.0.7258.154. (tenable.com)
• Users of Chromium‑based browsers (Microsoft Edge, Brave, Opera, Vivaldi, etc.) until each vendor ingests and ships the Chromium 139 fix within their own release.
• Embedded and packaged applications that include a pinned Chromium binary (for example, Electron apps) that do not auto‑update. These can be overlooked in standard browser patching workflows. (security-tracker.debian.org)
• Enterprises that manage browser fleets and delay rollouts through staged testing and image freezing — these are the highest‑risk groups because attackers can scan for and target remaining unpatched endpoints.

---

Exploitability and public evidence​

At the time of the Chrome stable release and the initial public advisories, mainstream trackers and vendor posts do not list a public proof‑of‑concept exploit tied to CVE‑2025‑9478. Security vendors commonly withhold exploit details until the majority of users receive patches to reduce the chance of rapid weaponization. However, ANGLE vulnerabilities have been exploited in real campaigns in prior years, and use‑after‑free bugs of this class are historically attractive to sophisticated adversaries. Treat any claim of active exploitation as unverifiable until vendors or incident responders publish evidence. (tenable.com)
Key operational facts for defenders:

• Attack vector: Network — a remote attacker can host a malicious web page that triggers the vulnerability when visited. (cybersecurity-help.cz)
• Required user action: Visiting or rendering malicious content (no additional local privilege required). (tenable.com)
• Public exploit status: No confirmed public exploit at publication; absence of a public PoC does not mean the risk is theoretical. Treat the vulnerability as weaponizable and prioritize patching. (tenable.com)

---

Mitigation and recommended actions​

Immediate actions for home users and administrators (in order of priority):

• Update Google Chrome to the latest stable release and confirm the version is 139.0.7258.154 or newer. Use chrome://settings/help to force an update and relaunch. (tenable.com)
• For Microsoft Edge users, update Edge to the latest available build and confirm the version reflects an ingestion of Chromium 139.x that includes the ANGLE fix. Check edge://settings/help to force the update. Microsoft publishes ingestion evidence in the Security Update Guide.
• Restart the browser after updating and, where practical, reboot critical endpoints to ensure all browser processes run the patched binary.

Short‑term compensating controls (use only if immediate patching is not possible):

• Temporarily disable WebGL or hardware acceleration in browsers where business needs allow (this reduces the ANGLE attack surface but may break web apps that depend on GPU acceleration). This is a blunt, temporary control, not a substitute for the vendor patch.
• Enable Edge’s Enhanced Security Mode for high‑risk user groups to reduce exposure to untrusted content.
• Limit access to risky or unvetted web destinations through web proxy or URL filtering for critical or admin workstations until patching completes.

Enterprise patching checklist (concise, actionable):

• Inventory: Identify endpoints running Chrome versions older than 139.0.7258.154 and locate any Chromium embeds (Electron apps, kiosks). (security-tracker.debian.org)
• Test: Validate the updated browser build against internal web apps, particularly WebGL‑heavy content, to detect compatibility regressions.
• Stage: Pilot the patched build to a small group, then expand to production on an accelerated schedule.
• Deploy: Use your management infrastructure (WSUS/MECM/Intune, or third‑party patching tools) to push the updated Edge/Chrome builds.
• Verify: Use vulnerability scanners and inventory queries to confirm no remaining endpoints report older versions. Vulnerability scanner vendors already published plugins mapping to the Chrome advisory.

---

Detection and monitoring guidance​

Because ANGLE attacks often result in renderer crashes during probing and early weaponization attempts, defenders should focus on crash telemetry and process anomalies:

• Monitor for spikes in renderer or GPU process crashes and correlate with web proxy logs to identify common referring pages. A sudden cluster of crashes from multiple hosts following visits to the same domains is suspicious.
• Tune EDR/anti‑malware rules to flag browser processes spawning unusual child processes or attempting persistence-related actions following a crash. Collect memory and crash dumps for forensic analysis to assist incident responders.
• Use version‑based scanning in vulnerability management tools (Nessus, Tenable, Qualys, Rapid7) to identify remaining pre‑patch Chrome/Chromium builds. These vendors already released detection plugins keyed to the Chrome 139 advisory.

If an organization suspects exploitation, preserve volatile memory and process dumps immediately; JIT and heap state in renderer processes provide critical artifacts for reconstructing an ANGLE exploitation chain.

---

Microsoft Edge: ingestion model and enterprise implications​

Microsoft Edge does not independently write fixes for Chromium engine bugs; instead, Edge ingests upstream Chromium changes and ships them in new Edge builds after internal testing. This model provides fast propagation of upstream fixes but introduces a downstream window while Microsoft validates and packages the ingestion. Microsoft records Chromium‑assigned CVEs in its Security Update Guide and communicates ingestion status through Edge release notes and the MSRC portal. Administrators should:

• Confirm Edge’s reported version at edge://settings/help and cross‑reference Microsoft’s update advisories to ensure the Chromium 139 ingestion is present.
• Treat Edge builds that predate the ingestion as vulnerable even though Microsoft is tracking the CVE in its portal; the real mitigation is a release that includes the upstream fix.
• Include managed Edge updates in enterprise patch windows and, for high‑risk cohorts (remote access admins, helpdesk), consider an expedited update wave.

---

Critical analysis — strengths, weaknesses, and residual risk​

What was handled well​

• Rapid upstream patching: Chromium’s open development model allowed the Chromium team to triage and fix the ANGLE use‑after‑free and roll the remedy into a stable Chrome release quickly. The Chrome Releases log and multiple third‑party trackers reflect a coordinated response. (chromereleases.googleblog.com) (tenable.com)
• Broad ecosystem visibility: Public vulnerability trackers (Tenable, Debian, CVE Details) and enterprise scanner vendors promptly indexed the CVE, giving administrators the information needed to automate detection and remediation. (tenable.com) (security-tracker.debian.org)

Where risks remain​

• Ingestion and distribution lag: Downstream vendors, embedded Chromium instances, and organizations with slow controlled rollouts create a window of exposure. The ingestion model helps long‑term but does not eliminate short‑term disparities between Chrome patch availability and protected Edge/embedded apps.
• Limited public technical detail: Responsible disclosure means precise exploit triggers and call traces are withheld until most users are patched. That is beneficial to reduce immediate weaponization but leaves defenders with high‑level indicators and version checks only. This complicates deep detection and therfore requires reliance on telemetry and process crash signals.
• Embedded and frozen Chromium builds: Electron apps and other embedded Chromium binaries often do not auto‑update and can remain vulnerable for long periods, providing attractive targets for opportunistic attackers. These hidden attack surfaces are harder to inventory and patch. (security-tracker.debian.org)

Likelihood of exploitation​

While no public PoC was circulating when the fixes were published, the nature of ANGLE and driver interaction means that skilled exploit developers can weaponize such UAF bugs — historically this has occurred. For critical environments, treat CVE‑2025‑9478 as high‑priority and assume that a working exploit is feasible until proven otherwise. (tenable.com)

---

Practical, prioritized checklist (quick reference)​

• Update Chrome to 139.0.7258.154+ and relaunch. (tenable.com)
• Update Edge and confirm the Chromium 139 ingestion is present. Use edge://settings/help to confirm.
• Scan your environment for older Chrome/Chromium versions and pinned Chromium embeds with vulnerability scanning tools.
• Temporarily disable WebGL/hardware acceleration on high‑risk endpoints where update rollout will be delayed.
• Monitor crash telemetry, proxy logs, and EDR alerts for unexplained renderer/GPU crashes correlated with web visits. Preserve forensic artifacts if suspicious.

---

Conclusion​

CVE‑2025‑9478 is a significant use‑after‑free in ANGLE that can be triggered by crafted web content and has been fixed in the Chromium 139 stable release stream. Its presence in the graphics translation layer makes it a serious risk for remote compromise of browser processes and a potential pivot point to the OS via driver interactions. The defensive playbook is straightforward and time‑sensitive: verify browser versions, deploy the Chrome/Edge updates that include the Chromium 139 fixes, and apply short‑term mitigations only where immediate patching is impossible. Use telemetry and vulnerability scanners to confirm remediation across all endpoints — especially embedded Chromium instances that do not automatically update. The cost of rapid patching and monitoring is small compared with the potential impact of a successful browser compromise in an enterprise environment. (cvedetails.com) (tenable.com)

---

---

Source: MSRC Security Update Guide - Microsoft Security Response Center