Skip to main content
CVE Vulnerability Database

CVE-2025-8901: Google Chrome ANGLE RCE Vulnerability

CVE-2025-8901 is an out of bounds write flaw in Google Chrome's ANGLE component that enables remote code execution through crafted HTML pages. This article covers the technical details, affected versions, and mitigations.

Updated:

CVE-2025-8901 Overview

CVE-2025-8901 is an out-of-bounds write vulnerability in ANGLE (Almost Native Graphics Layer Engine), the graphics abstraction layer used by Google Chrome to translate WebGL and OpenGL ES calls to native APIs. The flaw affects Chrome versions prior to 139.0.7258.127 on Windows, macOS, and Linux. A remote attacker can perform out-of-bounds memory access by serving a crafted HTML page to a victim. Google Chromium rates the security severity as High.

Critical Impact

Successful exploitation allows attackers to corrupt memory in the browser's graphics processing pipeline, potentially leading to arbitrary code execution within the renderer process after a user visits a malicious page.

Affected Products

  • Google Chrome prior to 139.0.7258.127
  • Microsoft Windows installations of Chrome
  • Apple macOS and Linux installations of Chrome

Discovery Timeline

  • 2025-08-13 - CVE-2025-8901 published to NVD
  • 2025-09-26 - Last updated in NVD database

Technical Details for CVE-2025-8901

Vulnerability Analysis

The vulnerability resides in ANGLE, the component Chrome uses to translate WebGL and OpenGL ES calls into the underlying graphics API on each operating system, including Direct3D on Windows, Metal on macOS, and OpenGL on Linux. ANGLE handles untrusted input from web pages whenever a site uses WebGL, exposing a broad attack surface to network-based adversaries.

The defect is classified as [CWE-787] Out-of-Bounds Write. A crafted HTML page issuing specific WebGL operations causes ANGLE to write past the boundaries of an allocated buffer. Such writes can corrupt adjacent heap data, function pointers, or object metadata used by the renderer process.

User interaction is required because the victim must load a malicious page. However, no privileges or prior authentication are needed, and the attack complexity is low.

Root Cause

The root cause is missing or incorrect bounds checking within ANGLE when processing graphics commands originating from JavaScript and WebGL contexts. The component fails to validate the size or offset of an operation against the bounds of the destination buffer before performing a write.

Attack Vector

An attacker hosts a crafted HTML page containing malicious WebGL shader code or API call sequences. When a user visits the page, Chrome's renderer dispatches the calls to ANGLE, triggering the out-of-bounds write. Attackers typically chain such renderer flaws with a sandbox escape to achieve code execution outside the sandboxed process.

The vulnerability is described in prose only. See the Chromium Issue Tracker Entry for technical detail once restrictions are lifted.

Detection Methods for CVE-2025-8901

Indicators of Compromise

  • Chrome renderer process crashes referencing libANGLE, libGLESv2, or graphics-related modules in crash logs.
  • Unexpected child process spawning from chrome.exe shortly after browsing activity.
  • Outbound connections from Chrome processes to newly registered or low-reputation domains hosting WebGL content.

Detection Strategies

  • Monitor endpoints for installed Chrome versions below 139.0.7258.127 using software inventory or vulnerability scanning tools.
  • Inspect browser telemetry and crash dumps for repeated faults inside ANGLE modules, which can indicate exploitation attempts.
  • Apply network detections for URLs delivering anomalous WebGL payloads or shader code from untrusted origins.

Monitoring Recommendations

  • Enable Chrome enterprise reporting to centralize crash and version data for affected fleets.
  • Correlate web proxy logs with endpoint process telemetry to identify users visiting suspicious pages that trigger renderer crashes.
  • Track post-exploitation behaviors such as credential access, persistence, or lateral movement originating from browser child processes.

How to Mitigate CVE-2025-8901

Immediate Actions Required

  • Update Google Chrome to version 139.0.7258.127 or later on all Windows, macOS, and Linux endpoints.
  • Force-restart Chrome after deploying the update so the patched binary is actually loaded into memory.
  • Audit Chromium-based browsers and embedded WebViews that may bundle vulnerable ANGLE builds.

Patch Information

Google released the fix in the Chrome Stable channel update on August 12, 2025. Administrators should deploy 139.0.7258.127 or later, as documented in the Google Chrome Stable Update advisory.

Workarounds

  • Where patching is delayed, disable hardware acceleration in Chrome via chrome://settings to reduce reliance on ANGLE, accepting performance trade-offs.
  • Restrict access to untrusted WebGL content through web filtering or enterprise policies that limit browsing categories.
  • Enforce site isolation and ensure the renderer sandbox is enabled across managed Chrome installations.
bash
# Enterprise policy example: enforce minimum Chrome version and disable hardware acceleration as a temporary workaround
# Windows registry path: HKLM\Software\Policies\Google\Chrome
HardwareAccelerationModeEnabled = 0
TargetVersionPrefix = "139.0.7258.127"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.