WebKit/ANGLE Memory Corruption CVE-2025-14174

Dec 17

Written By CyberDax

Targeted Sectors

· High-Value Individuals

· Government

· Finance

· Critical Infrastructure

· Technology and Software Development

Associated Threat Actor Profiles

The exploitation of CVE-2025-14174 is widely attributed to commercial spyware vendors and nation-state-level operations. These actors typically target:

· Human rights activists and journalists.

· Political dissidents.

· Government officials and diplomatic personnel.

· Corporate executives in sensitive industries.

Targeted Countries

· Global

BLUF

An out-of-bounds memory access issue in the ANGLE graphics library used by both WebKit and Chrome is being actively exploited via crafted HTML to execute arbitrary code.

Date of First Reported Activity

· The issue came to light around December 5, 2025.

Date of Last Reported Activity Update

· December 16, 2025.

CVE-2025-14174

Out-of-bounds memory access in ANGLE

CVSS:3.1

· Not currently scored

· Based on vulnerability it appears to likely be around

· (8.8) AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (scores around 8.8).

Nessus ID

· 278573

· 278572

· 278570

· 278386

· 278158

· 278157

Is this on the KEV list

Yes

What is the patch by date

· January 2, 2026

Patching/Mitigation Data

URL link to patching information

· hxxps://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_10.html

Impacted versions

· Google Chrome (Mac) versions prior to 143.0.7499.110

· Google Chrome (Windows/Linux) versions prior to 143.0.7499.109

· Microsoft Edge versions prior to 143.0.3650.80

· Apple iOS/iPadOS versions prior to 18.7.3 or 26.2

· Apple macOS versions prior to macOS Tahoe 26.2

· Apple Safari versions prior to 26.2

APT Names

· No APT groups have been named at this time

Associated Criminal Organization Names

· No specific criminal organizations have been named at this time

IOCs

Behavioral Indicators

· Maliciously Crafted HTML Content: The primary attack vector is the processing of "specially crafted" web content. Browsing to a malicious or compromised website is the trigger for the out-of-bounds memory access.

· Anomalous Browser Crashes: Repeated or unexplained crashes in Safari, Chrome, or Microsoft Edge—particularly while viewing specific, unexpected web pages—can be a sign of attempted memory corruption.

· Zero-Click or Low-Interaction Links: Sophisticated attacks often deliver these exploits through personalized phishing links (e.g., via SMS, iMessage, or email) that require no user interaction beyond opening the URL.

Situational Indicators

· Target Profile

o If your organization falls into a high-risk sector (Government, Finance, Critical Infrastructure, or Human Rights), you are more likely to be a target for the mercenary spyware associated with this flaw.

· Unpatched Software Version

o Any device running iOS/iPadOS versions prior to 26 or Google Chrome versions prior to 143.0.7499.110 is considered at high risk.

· Exploit Chaining

o Evidence of CVE-2025-43529 (a WebKit use-after-free flaw) activity on a system often indicates that CVE-2025-14174 is also being leveraged, as these two are known to be used in tandem during the same "sophisticated" campaign.Tools Used in Campaign: Custom exploits, likely commercial spyware.

TTPs

Initial Access

· T1566.002 - Phishing: Spearphishing Link: Attackers entice specific targeted individuals to visit a maliciously crafted URL.

· T1204.001 - User Execution: Malicious Link: Successful exploitation requires the victim to interact with a malicious link or navigate to a specially crafted HTML page.

Execution

· T1203 - Exploitation for Client Execution: The vulnerability is triggered when the browser's graphics engine (ANGLE) or rendering engine (WebKit) processes maliciously crafted web content, leading to unauthorized code execution.

Persistence / Privilege Escalation

· T1068 - Exploitation for Privilege Escalation: In reported "sophisticated" attacks, this memory corruption flaw is often used in tandem with other zero-days (such as CVE-2025-43529) to break out of the browser sandbox and gain higher-level system permissions.

Impact

· T1499 - Endpoint Denial of Service: The out-of-bounds memory access can cause unexpected application termination or system crashes.

· T1565 - Data Manipulation: If exploited for code execution, an attacker can modify program memory or system data.

Malware Names

· Not known at this time, likely custom or proprietary spyware payloads

Malware Samples

· Not known at this time

Suggested rules / potential hunts

Suricata

(Network IDS)

Direct network signatures for memory corruption are rare; instead, focus on detecting the delivery of exploit-supporting components or anomalous browser traffic.

Malicious HTML Content: Look for common exploit patterns in HTTP bodies, such as extensive ArrayBuffer spraying or excessive heap-manipulation JavaScript.

Anomalous Port Connections: Browser processes making direct outbound connections to non-standard ports (e.g., 4444, 8080) shortly after a high volume of web traffic.

Rule Concept

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOT Possible WebKit/ANGLE Memory Corruption Attempt (CVE-2025-14174)"; flow:established,to_client; file_data; content:"ArrayBuffer"; pcre:"/ArrayBuffer$.{8,}$/"; rev:1;)

SentinelOne (EDR)

Use Deep Visibility to hunt for browser processes behaving like malware or breaking out of their sandbox.

Anomalous Child Processes: Hunt for browser rendering processes spawning system shells or unusual binaries.

Query

(ProcessName = "Google Chrome Helper" OR ProcessName = "com.apple.WebKit.WebContent") AND (ChildProcessName In ("sh", "bash", "zsh", "cmd.exe", "powershell.exe"))

In-Memory Code Injection: Monitor for browser processes (Chrome, Safari) attempting to write to or create remote threads in other system processes (T1055).

Suspicious File Writes

Alert on the creation of executable files in the browser's temporary or cache directories.

Query

(ProcessName = "Safari" OR ProcessName = "Google Chrome") AND (EventType = "File Creation") AND (FilePath Endswith (".dylib", ".so", ".bin", ".dmg"))

Splunk (SIEM)

Leverage endpoint and application logs to identify exploitation indicators and successful compromises.

Browser Renderer Crashes: High-frequency crashes of the ANGLE or WebKit module can be a precursor to successful exploitation.

Search: index=windows sourcetype="WinEventLog:Application" EventCode=1000 (AppName="chrome.exe" OR AppName="msedge.exe") ExceptionCode="0xc0000005" | stats count by host

TTP-Based Hunting

Look for the execution of unauthorized JavaScript or REST API requests in browsers that deviate from your baseline.

Post-Exploitation Persistence

Detect new, unauthorized Launch Daemons (macOS) or scheduled tasks (Windows) created by browser processes immediately following a suspicious web session.

index=endpoint (parent_process_name="chrome.exe" OR parent_process_name="Safari") action="created" file_path="*/LaunchDaemons/*"

Delivery Method

User interaction is required; delivery via visiting a maliciously crafted web page.

Email Samples: No specific samples provided.

References

NVD

· hxxps://nvd.nist.gov/vuln/detail/CVE-2025-14174

CISA

· hxxps://www.cisa.gov/news-events/alerts/2025/12/12/cisa-adds-one-known-exploited-vulnerability-catalog-0

Tenable

· hxxps://www.tenable.com/cve/CVE-2025-14174/plugins

Chrome