Chrome users are racing against active attackers after Google confirmed a newly patched vulnerability is already being exploited in the wild. Clues lead to Google’s WebGL engine.
Google has released an urgent security update for the Chrome browser, confirming that one of three newly patched vulnerabilities is already being exploited by attackers.
The vulnerability internally referenced as ID 466192044 carries a high-severity rating and has been observed being exploited in the wild.
In the release issued on December 10th, Google is still withholding key technical details, including the CVE identifier.
Who is exploiting the vulnerability, how widespread the exploitation is, or which user groups may be targeted also remains unknown. This is standard practice to prevent threat actors from reverse-engineering the fix during the disclosure process.
Google confirmed only that “an exploit for 466192044 exists in the wild,” and said further information will be released after coordination is complete.
As reported by Hacker News, a GitHub commit linked to the bug reveals that the issue lies within ANGLE, Google’s open-source engine library used to power WebGL and Open GL, used for rendering interactive 2D and 3D graphics directly in web browsers.
The commit message references a fix in ANGLE’s Metal backend, which suggests that the vulnerability could be a buffer overflow.
This type of vulnerability is caused by improper buffer sizing, a condition that can lead to memory corruption, browser crashes, or, in the worst-case scenario, arbitrary code execution.
Many vulnerabilities found in Chrome
This fix marks yet another addition to Chrome’s growing list of high-impact vulnerabilities addressed in 2025.
In June, Google patched a vulnerability in Chrome’s JavaScript engine, called V8. This vulnerability enabled “out of bounds read and write,” which means malicious code can peek at and edit memory it isn’t supposed to access. In March, Google patched another dangerous zero-day vulnerability affecting Mojo, an inter-process communication (IPC) system used internally by the Google Chrome browser. Before the patch was issued, the vulnerability had already been exploited by sophisticated threat actors in the wild, targeting Russian organizations.
According to Google’s Threat Intelligence Group report, last year, Google Chrome was the primary focus of browser zero-day exploitation, likely reflecting the browser's popularity among billions of users. Researchers note that North Korean threat actors exploited two zero-day vulnerabilities in Chrome in 2024.
Also, a watering hole attack targeting various Mongolian government websites used Chrome n-day exploits to exfiltrate users’ credentials. An n-day, different from a zero-day, means that a vulnerability is known and already has a patch or public disclosure, but hasn’t yet been fixed yet.
The Russia-backed group APT29 is among those suspected.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked