CVE-2025-14174

HIGH KEV

Google Chrome <143.0.7499.110 - Memory Corruption

Title source: llm

Exploitation Summary

CVE-2025-14174 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 12, 2025. EIP tracks 5 public exploits from researchers including XiaomingX, Satirush, George0Papasotiriou.

AI-analyzed exploit summary The repository contains a functional SQL injection exploit for CVE-2025-10042 targeting WordPress Quiz Maker plugin. The exploit uses time-based blind SQLi to extract admin credentials and hashes.

Description

Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Exploits (5)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2025/CVE-2025-14174

View Code ZIP pw:eip

The repository contains a functional SQL injection exploit for CVE-2025-10042 targeting WordPress Quiz Maker plugin. The exploit uses time-based blind SQLi to extract admin credentials and hashes.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: WordPress Quiz Maker <= 6.7.0.56

No auth needed

Prerequisites: target URL · path to quiz page · injection header

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC 7 stars

by Satirush · poc

https://github.com/Satirush/CVE-2025-14174-Poc

View Code ZIP pw:eip

This repository contains a functional PoC exploit for CVE-2025-14174, targeting a memory corruption vulnerability in the ANGLE graphics engine. The exploit enables remote code execution via crafted WebGL content and is designed to bypass mitigations in patched systems.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: ANGLE graphics engine (used in Chrome, Edge, Safari, etc.)

No auth needed

Prerequisites: Target must visit a crafted webpage · WebGL or shader content must be rendered

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by George0Papasotiriou · poc

https://github.com/George0Papasotiriou/CVE-2025-14174-Chrome-Zero-Day

View Code ZIP pw:eip

This PoC demonstrates a use-after-free vulnerability in the V8 JavaScript engine of Google Chrome prior to version 121.0.6167.85. The exploit manipulates garbage collection to create a dangling reference, which is then used to corrupt memory and potentially achieve arbitrary code execution.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Racy

Target: Google Chrome prior to version 121.0.6167.85

No auth needed

Prerequisites: Victim must visit a malicious webpage or execute the crafted JavaScript

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github STUB

by SgtBattenHA · phppoc

https://github.com/SgtBattenHA/Analysis

View Code ZIP pw:eip

The repository contains only a README and frontend JavaScript libraries (jQuery) with no exploit code or technical analysis related to CVE-2025-14174. It appears to be a placeholder or unrelated project.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Unknown (no exploit code present)

No auth needed

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WRITEUP

by typeconfused · client-side

https://github.com/typeconfused/CVE-2025-14174-analysis

View Code ZIP pw:eip

Technical analysis and proof-of-concept for CVE-2025-14174, an out-of-bounds write vulnerability in ANGLE's Metal backend when uploading depth textures via a staging buffer.

Classification

Writeup 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: iOS Safari, macOS Chrome/Chromium/Electron

No auth needed

Prerequisites: WebGL2 context · Depth texture format DEPTH_COMPONENT32F · Pixel Buffer Object (PBO) bound to PIXEL_UNPACK_BUFFER · GL_UNPACK_IMAGE_HEIGHT set to a value less than actual texture height · ANGLE Metal backend active

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Release Notes

https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_10.html

Permissions Required

https://issues.chromium.org/issues/466192044

Third Party Advisory

https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security

Third Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14174

Scores

CVSS v3 8.8

EPSS 0.2222

EPSS Percentile 97.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2025-12-12

VulnCheck KEV 2025-12-12

ENISA EUVD EUVD-2025-203113

CWE

CWE-119 CWE-787

Status published

Products (9)

apple/ipados < 18.7.3

apple/iphone_os < 18.7.3

apple/macos < 26.2

apple/safari < 26.2

apple/tvos < 26.2

apple/visionos < 26.2

apple/watchos < 26.2

google/chrome 143.0.7499.41 - 143.0.7499.110

microsoft/edge_chromium < 143.0.3650.80

Published Dec 12, 2025

KEV Added Dec 12, 2025

Tracked Since Feb 18, 2026