Google has released patches for three new Chrome zero-day vulnerabilities, including a high-severity one for which an exploit is accessible in the wild.
The patches come in a Chrome security update issued on December 10.
In this advisory, the high-severity zero-day is referred to only by Google’s internal tracker ID, 466192044, with no CVE attributed at this stage.
Google did not give any further detail about the flaw, including its exact severity rating, description or the person or team that discovered it.
Instead, the status of the vulnerability is marked as “Under coordination.”
Additionally, the tech giant added a note saying that access to the details of a vulnerability and “may be kept restricted until a majority of users are updated with a fix.”
“We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed,” Google added.
This vulnerability is the eighth Chrome zero-day exploited in the wild in 2025
The December 10 Chrome security advisory also includes patches for two vulnerabilities that Google rates at medium severity.
CVE-2025-14372 is described as a use-after-free in Chrome’s Password Manager and was reported to Google on November 14 by Weipeng Jiang (@Krace) of the Vulnerability Research Institute (VRI).
While Google gave this vulnerability a moderate severity rating, an entry on the Tenable vulnerability repository mentions a CVSS v3.0 score of 9.8, suggesting some may have given it a critical severity rating. The CVE.org entry for this vulnerability shows the CVE ID status as “reserved by a CVE Numbering Authority.”
CVE-2025-14373 is described as an inappropriate implementation in Chrome Toolbar and was reported to Google on November 18 by Khalil Zhani.