CVE-2025-14174: Out of bounds memory access in ANGLE
Published Dec 5, 2025
·Updated
Accessibility. A privacy issue was addressed by removing sensitive data.
Other sources
Accessibility. An inconsistent user interface issue was addressed with improved state management.
— Apple
Admin Framework. A parsing issue in the handling of directory paths was addressed with improved path validation.
— Apple
App Store. A permissions issue was addressed with additional restrictions.
— Apple
AppleEvents. An authorization issue was addressed with improved state management.
— Apple
AppleJPEG. The issue was addressed with improved bounds checks.
— Apple
Credit
Apple Security Engineering, Architecture (SEAR), Google Threat Analysis Group, Andreas Jaegersberger & Ro Achterberg(Nosebeard Labs), @@retsew0x01, Wojciech Regula(SecuRing), Hossein Lotfi@@hosselot(Trend Micro Zero Day Initiative), Nan Wang@@eternalsakura13, Google Big Sleep, Phil Pizlo(Epic Games), Apple, 이동하 (Lee Dong Ha(BoB 14th), Michael Reeves@@IntegralPilot, CVE-2024-7264, CVE-2025-9086, Andrew Calvano(Meta Product Security), Lucas Pinheiro(Meta Product Security), Duy Trần@@khanhduytran0, Kaitao Xie(Alibaba Group), Xiaolong Bai(Alibaba Group), floeki(IES Red Team of ByteDance), Zhongcheng Li(IES Red Team of ByteDance), an anonymous researcher, Riley Walz, Yiğit Ocak, Rosyna Keller(Totally Not Malicious Software), an anonymous researcher(Technische Hochschule Ingolstadt), Michael Schmutzer(Technische Hochschule Ingolstadt), Iván Savransky, Bing Shi(Alibaba Group), Wenchao Li(Alibaba Group), (Indiana University Bloomington), Luyi Xing(Indiana University Bloomington), Noah Gregory (wts.dev), Kirin@@Pwnrin, Johnny Franks (zeroxjf), jioundai, Anonymous(Trend Micro Zero Day Initiative), Yiğit Can YILMAZ@@yilmazcanyigit, Golden Helm Securities(Iru), Gergely Kalman@@gergely_kalman(Iru), Csaba Fitzl@@theevilbit(Iru), Asaf Cohen, George Karchemsky@@gkarchemsky(Trend Micro Zero Day Initiative), Jian Lee@@speedyfriend433, Xin'an Zhou, Juefei Pu, Zhutian Liu, Zhiyun Qian, Zhaowei Tan, Srikanth V. Krishnamurthy, Mathy Vanhoef, CVE-2025-59375, Gongyu Ma@@Mezone0, EntryHi, Wong Wee Xiang, Loh Boon Keat, Jacob Prezant (prezant.us), Nils Hanff @chaos.social)@@nils1729(Hasso Plattner Institute), Amy (amys.website), Atul Kishor Jaiswal, Gergely Kalman@@gergely_kalman, Keisuke Hosoda, Zhongcheng Li(IES Red Team), Richard Hyunho Im at Route Zero Security (routezero.security)@@richeeta, Ron Masas(BreakPoint), Rodolphe Brunetti@@eisw0lf(Lupus Nova), Dalibor Milanovic, Óscar García Pérez, Stanislav Jelezoglo, Viktor Lord Härringtón, Enis Maholli (enismaholli.com), LeminLimez, Nathaniel Oh@@calysteon, HanQing(TSDubhe), Tom Van Goethem, Wang Yu(Cyberserval), Mickey Jin@@patch1t, Ryan Dowd@@_rdowd, @@cloudlldb, Kirin@@Pwnrin(Fudan University), LFY@@secsys(Fudan University), Murray Mike, Chunyu Song(NorthSea), Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), Pwn2car, Morris Richman@@morrisinlife, Vivek Dhar, ASI (RM) in Border Security Force, FTR HQ BSF Kashmir, CVE-2025-5918, Sumanth Rao(UC San Diego), Ye Shu(UC San Diego), Stefan Savage(UC San Diego), Aaron Schulman(UC San Diego), Geoffrey M. Voelker(UC San Diego), Enze Liu (Carnegie Mellon University), Andrei Simion, piffz, Daniel Nurkin, Al Sadman Awal, Mohamed Hamdadou & Mahran Alhazmi, Hichem Maloufi, Christian Mina, Gerson Aldaz, qwerty j0y & Ricardo Garcia, Dorian Del Valle, iG0x72(XiguaSec), JJ(XiguaSec), Lehan Dilusha Jayasinghe, Jex Amro, Ron Elemans, Kenneth Chew, Haoling Zhou(SecLab of The Ohio State University), Shixuan Zhao@@NSKernel(SecLab of The Ohio State University), Chao Wang@@evi0s(SecLab of The Ohio State University), Zhiqiang Lin(SecLab of The Ohio State University), Atul R V, Kay Belardinelli (Harvard University)
Affected Software
29 affected componentsFixes available
Google Chrome<143.0.7499.109
143.0.7499.109
Apple tvOS<26.2
26.2
Apple iOS<18.7.3
18.7.3
Apple iPadOS<18.7.3
18.7.3
Apple macOS Tahoe<26.2
26.2
Apple Safari<26.2
26.2
Apple iOS<26.2
26.2
Apple iPadOS<26.2
26.2
Apple WatchOS<26.2
26.2
Apple visionOS<26.2
26.2
Google Chromium
All of the following
Google Chrome>=143.0.7499.41<143.0.7499.110
Apple macOS
All of the following
Google Chrome>=143.0.7499.40<143.0.7499.109
Any of the following
Linux Linux kernel
Microsoft Windows
Google Chrome<=143.0.7499.40
Apple Safari<26.2
Apple iPadOS<18.7.3
Apple iPadOS>=26.0<26.2
Apple iPhone OS<18.7.3
Apple iPhone OS>=26.0<26.2
Apple macOS<26.2
Apple tvOS<26.2
Apple visionOS<26.2
Apple WatchOS<26.2
Microsoft Edge Chromium<143.0.3650.80
Microsoft Edge (Chromium-based)
Microsoft Edge<143.0.3650.80
Remediation
Information
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Event History
Dec 5, 2025
CVE Published
12:00 AM
Known Exploited
12:00 AM
Data Sourced
12:00 AM
SeverityWeaknessAffected Software
Dec 12, 2025
Data Sourced
via CISA·12:00 AM
RemedyDescriptionAffected Software
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionWeakness
Updated
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
Affected Software
CVE Published
via MITRE·07:20 PM
Data Sourced
via MITRE·07:20 PM
DescriptionWeakness
Data Sourced
via NVD·08:15 PM
DescriptionSeverityWeaknessAffected Software
News Published
via BleepingComputer·11:23 PM
News Published
via BleepingComputer·11:24 PM
Dec 15, 2025
Data Sourced
via Microsoft·08:00 AM
DescriptionSeverityWeaknessAffected Software
Updated
via Microsoft·08:00 AM
DescriptionAffected Software
News Published
via The Register·11:01 AM
News Published
via The Register·11:05 AM
Dec 16, 2025
News Published
via ZDNet·06:15 PM
News Published
via ZDNet·06:23 PM
Dec 24, 2025
News Published
via ZDNet·01:37 PM
Feb 11, 2026
Updated
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Feb 12, 2026
News Published
via BleepingComputer·01:06 AM
News Published
via The Register·02:01 PM
Mar 18, 2026
News Published
via BleepingComputer·02:02 PM
News Published
via The Register·09:39 PM
Mar 23, 2026
News Published
via BleepingComputer·08:37 AM
Apr 1, 2026
News Published
via BleepingComputer·09:50 PM
Parent advisories
This vulnerability appears in the following advisories.
Peer vulnerabilities
Found alongside the following vulnerabilities.
- CVE-2025-14372
- CVE-2025-14373
- CVE-2025-43526
- CVE-2024-8906
- CVE-2025-46282
- CVE-2025-43541
- CVE-2025-43536
- CVE-2025-43535
- CVE-2025-46298
- CVE-2025-43501
- CVE-2025-43531
- CVE-2025-14174
- CVE-2025-43529
- CVE-2025-46299
- CVE-2025-43511
- CVE-2025-43539
- CVE-2024-7264
- CVE-2025-9086
- CVE-2025-43532
- CVE-2025-46279
- CVE-2025-46285
- CVE-2025-43533
- CVE-2025-46300
- CVE-2025-46301
- CVE-2025-46302
- CVE-2025-46303
- CVE-2025-46304
- CVE-2025-46305
- CVE-2025-46288
- CVE-2025-46287
- CVE-2025-43542
- CVE-2025-46276
- CVE-2025-43428
- CVE-2025-43538
- CVE-2025-46290
- CVE-2025-43518
- CVE-2025-46277
- CVE-2026-20637
- CVE-2026-20650
- CVE-2026-20611
- CVE-2026-20609
- CVE-2026-20617
- CVE-2026-20627
- CVE-2026-20700
- CVE-2026-20649
- CVE-2026-20675
- CVE-2026-20634
- CVE-2026-20654
- CVE-2026-20671
- CVE-2025-59375
- CVE-2026-20667
- CVE-2026-20628
- CVE-2026-20641
- CVE-2026-20635
- CVE-2026-20645
- CVE-2026-20674
- CVE-2026-20638
- CVE-2026-20660
- CVE-2026-20686
- CVE-2026-20615
- CVE-2026-20668
- CVE-2026-20626
- CVE-2026-20663
- CVE-2026-20655
- CVE-2026-20677
- CVE-2026-20694
- CVE-2026-20642
- CVE-2026-20678
- CVE-2026-28855
- CVE-2026-20682
- CVE-2026-20653
- CVE-2026-20680
- CVE-2026-20606
- CVE-2026-20640
- CVE-2026-20661
- CVE-2026-20652
- CVE-2026-20608
- CVE-2026-20676
- CVE-2026-20644
- CVE-2026-20636
- CVE-2026-20621
- CVE-2026-20669
- CVE-2026-20670
- CVE-2026-20625
- CVE-2026-20624
- CVE-2026-20639
- CVE-2026-20681
- CVE-2026-20629
- CVE-2026-20601
- CVE-2026-20623
- CVE-2026-20620
- CVE-2026-20630
- CVE-2026-20673
- CVE-2026-20651
- CVE-2026-20616
- CVE-2026-20603
- CVE-2026-20666
- CVE-2026-20614
- CVE-2026-20656
- CVE-2026-20658
- CVE-2026-20610
- CVE-2026-20622
- CVE-2026-20648
- CVE-2026-20662
- CVE-2026-20647
- CVE-2026-20612
- CVE-2026-20699
- CVE-2026-20619
- CVE-2026-20618
- CVE-2026-20605
- CVE-2026-20646
- CVE-2026-20602
- CVE-2025-43512
- CVE-2025-5918
- CVE-2025-46311
- CVE-2025-43530
- CVE-2025-46292
- CVE-2025-46286
- CVE-2025-43537
- CVE-2025-43534
- CVE-2025-43475
- CVE-2025-43523
- CVE-2025-43519
- CVE-2025-43522
- CVE-2025-43521
- CVE-2025-46289
- CVE-2025-46297
- CVE-2025-43482
- CVE-2025-43517
- CVE-2025-46283
- CVE-2025-46281
- CVE-2025-43417
- CVE-2025-46278
- CVE-2025-43524
- CVE-2025-46291
- CVE-2025-43513
- CVE-2025-43509
- CVE-2025-43410
- CVE-2025-43514
- CVE-2025-43527
- CVE-2025-43416
- CVE-2025-43516
Frequently Asked Questions
1
What is the severity of CVE-2025-14174?
CVE-2025-14174 has been classified as a high severity vulnerability impacting multiple Apple platforms and Google Chrome.
2
How do I fix CVE-2025-14174?
To mitigate the CVE-2025-14174 vulnerability, update affected software to the latest version as recommended by the vendor.
3
What software is affected by CVE-2025-14174?
CVE-2025-14174 affects Google Chrome versions up to 143.0.7499.109 and various Apple products including iOS, macOS, and Safari up to version 26.2.
4
What types of issues does CVE-2025-14174 address?
CVE-2025-14174 addresses a permissions issue, bounds checks in AppleJPEG, and additional code-signing restrictions for Intel-based Mac computers.
5
Is there a specific version of software that resolves CVE-2025-14174?
Yes, users should update to Apple iOS 18.7.3, Apple iPadOS 18.7.3, Apple macOS Tahoe 26.2, and Google Chrome 143.0.7499.109 to resolve CVE-2025-14174.