In response, Google has issued an immediate security update to Chrome Stable channel to address a critical use-after-free vulnerability in the Chrome ANGLE graphics library that may enable attackers to run arbitrary code on vulnerable systems, which was reported as CVE-2025-9478 on August 11, 2025 by the Big Sleep team of Google and impacts Chrome versions on Windows, macOS, and Linux-based systems through malicious WebGL or Canvas operations leading to memory corruption.
Critical vulnerability permits execution of a remote code
According to GBHackers, Google has published an urgent security patch to the Chrome Stable channel that fixes a severe use-after-free bug in the ANGLE graphics library that might enable attackers to run arbitrary code on susceptible systems. The fixes arrive as part of Chrome Stable versions 139.0.7258.154/.155 on Windows and macOS, and 139.0.7258.154 on Linux.
The bug, which was reported as CVE-2025-9478, was found by the Google Big Sleep team on August 11, 2025. It is located in the ANGLE component, which maps OpenGL ES functions to native graphics API functions on different platforms, and as such, it is a critical element in the rendering path in Chrome on both desktop and mobile platforms.
An attacker site taking advantage of this vulnerability may cause a use-after-free bug, in which memory is reused after being freed. With a well-artuned WebGL or Canvas operation, a hacker would be able to poison the memory of the browser and execute remote code with the rights of the present user.
The cases of drive-by downloads present high levels of risk to the security
As ANGLE is at the heart of Google Chrome’s rendering engine on both desktop and mobile platforms, exploitation may be scripted in a drive-by download attack whereby a victim can, by merely accessing an infected or maliciously designed web page, exploit Chrome. An effective exploit can enable attackers to install malware, steal data, or continue further into a corporate network.
This renders the vulnerability particularly risky to the high-value targets and enterprise users who might come across malicious content in the course of different web browsing. The vulnerability is already a serious security threat since it does not involve any user interaction other than visiting a malicious site.
The security team of Google pushes quick solutions on all platforms
Google’s security team has already been issuing the fix in the latest Stable build, and its users are encouraged to get the latest in order to have the fix before its release, which will automatically take place in the next days and weeks. Administrators dealing with large deployments are supposed to push version 139.0.7258.154/.155 immediately.
Enterprise administrators should institute all-around security measures
In the case of organizations that may have stringent change management processes, Chrome has an enterprise bundle along with MSI installers that may enable offline/stage rollouts. The principle of least privilege should be applied to keep the effects of a compromised browser process to a minimum by the security team monitoring proxy logs and endpoint logs of unusual WebGL or graphics API call patterns.
Google still promotes collaborative discovery by providing a reward for externally reported bugs, and the recognition of external researchers reiterates the importance of public-private relationships in terms of maintainability of open-source projects. Although information about CVE-2025-9478 will be limited until most users have the update installed, the timely response is indicative of Google’s concern about critical security vulnerabilities.
Chrome ANGLE CVE-2025-9478 is a critical example of a security threat that needs attention by all users of Chrome and enterprise administrators at once, and the speed with which Google implements fixes on Windows, macOS, and Linux operating systems indicates how serious the threat of remote code execution is due to graphics library vulnerabilities in current web browsers.