Introduction
Remote attackers could potentially achieve heap corruption and arbitrary code execution in Chrome simply by delivering malicious graphics content to a user's browser. The recent patch for CVE-2025-10502 highlights the ongoing risks posed by memory safety issues in widely deployed browser components. With Chrome's ANGLE graphics engine as the attack surface, this vulnerability affects users across Windows, macOS, and Linux prior to version 140.0.7339.185.
Technical Information
CVE-2025-10502 is a heap buffer overflow in the ANGLE (Almost Native Graphics Layer Engine) component of Google Chrome. ANGLE is a cross-platform graphics abstraction layer that translates OpenGL ES API calls to native graphics APIs such as DirectX (on Windows) or Vulkan (on Linux and macOS). It is a critical part of Chrome's WebGL and graphics rendering pipeline.
The vulnerability is caused by insufficient bounds checking when ANGLE processes certain graphics data. By sending specially crafted network traffic (for example, malicious WebGL shaders or Canvas operations), an attacker can trigger a heap buffer overflow in the ANGLE process. This allows for out-of-bounds memory writes, which can corrupt heap metadata or adjacent objects, potentially leading to arbitrary code execution within the browser's process context. The flaw is classified under CWE-122 (Heap-based Buffer Overflow).
No public code snippets or detailed proof of concept information are available for this vulnerability as of the publication date. The root cause is improper validation of buffer boundaries in ANGLE's handling of graphics data, as discovered by Google's Big Sleep AI system.
Patch Information
Google has addressed the heap buffer overflow vulnerability in the ANGLE component of Chrome by releasing version 140.0.7339.185/.186 for Windows and Mac, and 140.0.7339.185 for Linux. This update rectifies the flaw by implementing stricter bounds checking within the ANGLE graphics layer, thereby preventing out-of-bounds memory access that could lead to potential exploits. Users are strongly advised to update their browsers to these versions to ensure protection against this vulnerability.
Reference: Google Chrome Release Blog
Affected Systems and Versions
- Google Chrome prior to 140.0.7339.185 on Windows
- Google Chrome prior to 140.0.7339.186 on macOS
- Google Chrome prior to 140.0.7339.185 on Linux
All configurations of Chrome using ANGLE for graphics rendering are affected if running a vulnerable version.
Vendor Security History
Google Chrome has experienced several high severity vulnerabilities in 2025, including multiple zero days and memory corruption issues in both the V8 JavaScript engine and ANGLE. Google's patch response time is typically rapid, with security updates released within days to weeks of discovery. The company employs advanced vulnerability discovery tools, including AI systems such as Big Sleep, and maintains a mature bug bounty program. Despite these efforts, the frequency of critical vulnerabilities in Chrome underscores the ongoing challenges of securing complex browser codebases.