Google has rushed out a fix for a high‑severity memory corruption flaw in Chrome’s ANGLE graphics layer, and Microsoft has now incorporated the same fix into its Edge browser. The vulnerability, catalogued as CVE‑2025‑10502, could allow an attacker to hijack a vulnerable system simply by luring a victim to a malicious website. Both companies are urging users to update immediately.

The vulnerability at a glance

The bug is a heap buffer overflow in ANGLE (Almost Native Graphics Layer Engine), an open‑source component that translates WebGL and other GPU‑related APIs into instructions the system’s hardware drivers can understand. Because ANGLE processes untrusted web content and sits close to the GPU, memory safety slip‑ups in its code can quickly escalate into remote code execution — potentially even escaping the browser’s sandbox.

According to the Google Chromium team, the flaw originates from a boundary error that can be triggered when a malicious page feeds specially crafted HTML or WebGL content to the renderer. Out‑of‑bounds writes can corrupt nearby heap memory, opening the door to control of the renderer process.

The fix arrives as part of a broader Stable channel update that also addresses an actively exploited zero‑day in the V8 JavaScript engine (CVE‑2025‑10585) and two use‑after‑free bugs in WebRTC and Dawn. These are all high‑severity issues, and their simultaneous release makes patching urgent.

Which versions are vulnerable?

Chromium‑based browsers that haven’t yet been updated are at risk. Public trackers indicate that the flawed code is present in Chromium builds from approximately 140.0.7339.0 up through 140.0.7339.158.

Patched Chrome builds:
- Windows and macOS: 140.0.7339.185 (also stamped .186 for some channels)
- Linux: 140.0.7339.185

Microsoft has confirmed that the latest release of its Edge browser is no longer vulnerable to CVE‑2025‑10502. The company tracks Chromium‑assigned CVEs in its Security Update Guide, and the entry for this bug states that “the latest version of Microsoft Edge (Chromium‑based) is no longer vulnerable.” Unless you have deliberately blocked browser updates, your Edge should already have the fix.

How the bug works

A heap buffer overflow in ANGLE can happen when the rendering code writes beyond the boundaries of a dynamically allocated buffer. Attackers can craft a web page that executes a precise sequence of WebGL commands — allocating textures, shaders, or buffer objects — so that ANGLE incorrectly calculates the size of a write and scribbles over adjacent heap data. By carefully shaping the heap (a technique known as heap grooming), the attacker may replace function pointers or other critical data and hijack the control flow of the renderer process.

While modern browsers deploy multiple defenses — sandboxing, address space layout randomization (ASLR), control flow integrity (CFI) — graphics‑layer bugs have historically been prized by sophisticated adversaries. A reliable ANGLE exploit could be chained with a second vulnerability to break out of the sandbox and execute arbitrary code on the underlying operating system.

Who should worry

  • Home users: If you run an unpatched Chrome or Edge build, your risk is moderate to high. The attack requires visiting a malicious page, but drive‑by downloads, poisoned ads, and even compromised legitimate sites are common delivery mechanisms.
  • Enterprise fleets: Organizations that delay browser updates or use legacy images are especially exposed. A single unpatched endpoint can serve as a foothold for an attacker.
  • Admins of Electron and embedded Chromium apps: Many desktop applications bundle a fixed Chromium version. These are often overlooked during patch cycles and will stay vulnerable until the application vendor ships an update.
  • Users of other Chromium‑based browsers: Brave, Opera, Vivaldi, and similar browsers inherit the same ANGLE code. Confirm that your browser has adopted the patched Chromium revision; the version number alone may not reflect the embedded Chromium build.

The timing: a double‑header update

On September 17–18, 2025, Google shipped a Stable channel update containing fixes for four high‑severity bugs. The company’s release notes withhold technical specifics until the patch reaches a wide audience, but the list includes:

  • CVE‑2025‑10585 (V8) — actively exploited zero‑day
  • CVE‑2025‑10501 (WebRTC) — use‑after‑free
  • CVE‑2025‑10500 (Dawn) — use‑after‑free
  • CVE‑2025‑10502 (ANGLE) — heap buffer overflow

Microsoft’s ingestion process for Edge follows three steps: upstream Chromium fix → internal testing and integration → Edge release. The Microsoft Security Response Center (MSRC) has now published the CVE and confirmed that the patched Edge build is available. The lag between Google’s Chrome update and Edge’s is normal, but this time it appears to have been brief.

Updating Chrome

Updating Google Chrome is straightforward and takes about a minute:

  1. Click the three‑dot menu in the top‑right corner.
  2. Go to HelpAbout Google Chrome.
  3. The browser will check for updates and start downloading automatically. If you see version 140.0.7339.185 or higher, you’re safe.
  4. Click Relaunch to finish the update.

If you cannot update right away, consider disabling WebGL as a short‑term stopgap:
- Type chrome://settings in the address bar.
- Search for “hardware acceleration” and toggle the setting off. This forces Chrome to use a software renderer and bypasses most ANGLE code paths. Note that this will degrade performance on graphics‑heavy websites.

Updating Microsoft Edge

Microsoft Edge users should also verify they are running a patched build:

  1. Type edge://settings/help in the address bar.
  2. Edge will automatically check for updates and install any that are available.
  3. After the update, restart the browser.

Because Microsoft now lists CVE‑2025‑10502 in the Security Update Guide as resolved, any recent Edge build should contain the fix. If your organization uses group policies to delay updates, you may need to accelerate this particular patch; consult your IT team.

For IT administrators

Enterprise environments need a more structured approach:

Inventory and assess
- Use Microsoft Endpoint Configuration Manager, Intune, Jamf, or third‑party patch management tools to discover all Chrome and Edge installations.
- Look for versions older than Chrome 140.0.7339.185. Pay special attention to virtual desktop images, kiosk machines, and remote‑access terminals.
- Identify any Electron‑based or embedded Chromium applications. These typically have their own update channels; check vendor websites for advisories.

Deploy and verify
- Pilot the update in a test group to catch any regressions with internal web apps that rely heavily on WebGL.
- Push the update out of band to high‑risk endpoints. Both Chrome and Edge support managed deployment via administrative templates and MSI installers.
- After deployment, scan the fleet again to confirm that all browsers are at the remedial build or later.

Compensating controls
- If patching must be delayed, enforce Enhanced Security Mode (Microsoft Edge) or enable Strict Site Isolation. These features can contain the blast radius of a renderer compromise.
- Use web proxies or DNS filtering to block access to risky categories (newly registered domains, known malicious sites) for unpatched machines.
- Ensure endpoint detection and response (EDR) signatures are up to date; they may detect the unusual WebGL patterns associated with an exploitation attempt.

The bigger picture: ANGLE’s spotty track record

ANGLE has been a recurring source of severe Chromium vulnerabilities. In recent years, multiple high‑impact bugs — heap overflows, use‑after‑free errors, out‑of‑bounds writes — have originated in the graphics translation layer. Security researchers and advanced persistent threat (APT) groups prize these flaws because they touch privileged GPU driver code and can be exploited in ways that pure JavaScript engine bugs cannot.

Why are ANGLE bugs so attractive?
- The attack surface is large and complex, spanning multiple hardware platforms and driver versions.
- WebGL content can be triggered without direct user interaction, for example through ads, image thumbnailing, or background rendering.
- A successful exploit can lead to sandbox escape more easily than a typical DOM bug, because the GPU process often has wider system access.

Browser vendors are investing heavily in memory‑safety improvements (fuzzers, sanitizers, hardened allocators) and architectural changes that isolate the GPU process more strictly. Still, until the entire rendering pipeline can be written in memory‑safe languages, vulnerabilities like CVE‑2025‑10502 will continue to appear.

What to do now — a quick checklist

Audience Action
Home user (Chrome) Update to Chrome 140.0.7339.185/.186 via Help → About Google Chrome
Home user (Edge) Update Edge via edge://settings/help
Enterprise IT Inventory all Chromium‑based browsers, prioritize patching, verify Edge ingestion
Embedded app owner Check with software vendor for a Chromium update; rebuild custom images if needed
All users Enable auto‑update and consider disabling WebGL if you can’t patch immediately

What’s next

Google and Microsoft are likely to keep specifics of the ANGLE heap overflow under wraps for a few more days to give users time to patch. Security researchers will eventually publish technical analyses that reveal the exact trigger, which could lead to proof‑of‑concept code. Although no public exploit for CVE‑2025‑10502 has yet been spotted, the fact that an actively exploited V8 zero‑day was shipped in the same update batch means attackers are actively probing the browser’s defenses. Keep an eye on the MSRC and Chrome release blogs for any late‑breaking updates, and don’t let this patch sit in your queue.