By Google patched Chrome’s eighth actively exploited zero-day vulnerability on December 11, marking a concerning pattern in 2025. The latest flaw, CVE-2025-14174, affects the ANGLE graphics library with a CVSS score of 8.8 and was already being exploited by suspected government-backed attackers when the emergency patch dropped. With 3.45 billion Chrome users worldwide, this isn’t just a security update.
Eight Zero-Days This Year: The Pattern Is Clear
Here’s what 2025 looks like for Chrome security: eight actively exploited zero-days targeting V8 JavaScript engine (62%) and ANGLE graphics (25%). Type confusion vulnerabilities dominated with four instances, all discovered by Google’s Threat Analysis Group and Apple’s security team—teams that specifically hunt nation-state actors.
The timeline tells the story. CVE-2025-2783 in March (Mojo on Windows), CVE-2025-4664 in May (account takeover), three V8 type confusion bugs between June and November, and two ANGLE vulnerabilities. Every single one was exploited before Google could patch it.
V8 powers Chrome, Node.js, Electron apps, Edge, and Brave. One vulnerability doesn’t affect one product—it affects an entire ecosystem. Security researchers call it “aiming at the entire beehive”. The bees aren’t doing great.
CVE-2025-14174: Out-of-Bounds ANGLE Exploit
The December zero-day targets ANGLE (Almost Native Graphics Layer Engine), Chrome’s cross-platform graphics abstraction layer. The bug is a buffer overflow in ANGLE’s Metal renderer where memory calculations can be smaller than actual image height, leading to arbitrary code execution from a malicious webpage.
Moreover, Apple’s Security Engineering team and Google TAG reported it December 5. Google patched it December 11—a six-day turnaround. CISA added it to the Known Exploited Vulnerabilities catalog December 12, with a federal agency deadline of January 2, 2026.
Why Chrome Is a Zero-Day Magnet
Chrome owns 65-73% of the browser market—3.45 billion users worldwide. If you’re an attacker with resources, Chrome is the obvious target. Find one V8 vulnerability, and you’ve got potential access to billions of devices.
Furthermore, V8 is Chrome’s Achilles’ heel. It’s a JIT-compiled JavaScript engine optimized for performance, not security. Performance optimizations bypass type checks. Dynamic JavaScript creates edge cases. The result: type confusion vulnerabilities that historically chain into sandbox escapes. Five of eight 2025 Chrome zero-days targeted V8.
Additionally, the browser monoculture amplifies everything. Edge, Brave, Opera—all Chromium-based browsers inherit Chrome’s vulnerabilities. When 73% of users are on Chromium-based browsers, you’re looking at a single point of failure for most of the internet.
Government-Backed Attacks: Not Speculation
When Google TAG discovers a vulnerability, it’s not academic research. TAG specifically tracks nation-state actors and commercial spyware vendors. When Apple’s security team co-discovers with TAG, you’re looking at coordinated cross-platform attacks.
Consequently, North Korea exploited two Chrome zero-days in 2025 targeting fintech and crypto firms. China-backed groups were attributed five zero-days in 2024. Russia was linked to the March 2025 exploit. Google’s 2024 analysis showed traditional espionage actors accounted for 53% of zero-day exploitation.
Clément Lecigne from Google TAG discovered three of the eight 2025 Chrome zero-days. The people finding these vulnerabilities are the same people tracking government hackers.
Update Chrome Immediately
If you’re running Chrome before version 143.0.7499.109 (or .110 on Windows/Mac), you’re vulnerable to active exploitation right now.
Open Chrome, click the three dots menu, go to Help > About Google Chrome. It’ll auto-check and download the update. Click “Relaunch.” To verify your version, type chrome://version/ in the address bar.
However, enterprise IT teams face a CISA mandate. Federal agencies have until January 2, 2026. Corporate networks should be pushing this update now. Chromium-based browsers like Edge and Brave are also affected—check vendor advisories.
Auto-updates don’t protect you if you never restart your browser. Chrome downloads patches in the background, but they don’t apply until you relaunch. That gap is where attackers operate.
What’s Next: Expect More of the Same
Chrome’s zero-day count has stabilized around 8-10 per year since 2021’s peak of 15. We’re on track for similar numbers in 2026. V8 will remain the primary target until Google fundamentally redesigns its architecture.
Nevertheless, Google’s response time is improving (six days for CVE-2025-14174), but that doesn’t matter when exploits are already in the wild before discovery. The real problem is the cat-and-mouse game between Chrome’s complexity and the resources nation-state actors are throwing at it.
Browser security is national security. CISA says so. The pattern of government-backed exploitation says so. Update your browser. Enable auto-updates. And rethink the wisdom of having 73% of the internet running on one codebase.
