Google Patches Mysterious Chrome 0-Day That Doesn't Even Have a CVE

Google developers have released emergency patches for the Chrome browser, fixing another zero-day vulnerability already being actively exploited by attackers. This marks the eighth such issue since the beginning of the year—but this time, virtually no details are known.

The company has released fixes for Chrome on Windows (version 143.0.7499.109), macOS (143.0.7499.110), and Linux (143.0.7499.109). The updates should already be available to all users, although Google warns that full deployment of the patches may take several days.

Interestingly, the new zero-day currently does not even have a CVE identifier. Google is tracking the vulnerability with an internal identifier (466192044) and has marked the bug as "under coordination," meaning developers are coordinating the disclosure of information with someone else. It is not yet known who discovered the problem, when it was found, or which browser component it affects. The only confirmed detail is that the severity of the vulnerability is rated as high.

Cybersecurity experts believe it is most likely a type confusion or use-after-free issue, which could affect the V8 engine or related components. Such vulnerabilities are often used for sandbox escapes or arbitrary code execution.

Per data from the Chromium bug tracker, the issue affects the LibANGLE library—Google's open-source layer that translates OpenGL ES calls to other graphics APIs (Direct3D, Vulkan, Metal). The report mentions a buffer overflow in the Metal renderer due to incorrect handling of buffer sizes, leading to memory corruption, data leaks, and potential code execution.

Since the beginning of 2025, Google has already patched seven zero-days in Chrome, and this "nameless" issue is the eighth. For comparison, in 2024 Google fixed ten zero-days in its browser, some of which were demonstrated at Pwn2Own competitions, while others were also exploited in real-world attacks.