Overview
Google has released a security update for Chrome, fixing a critical vulnerability in the ANGLE graphics library. CVE-2025-9478 (CVSS 9.8) is a use-after-free flaw that could allow remote code execution if a user visits a specially crafted web page.
The issue was discovered by Google’s AI security tool Big Sleep and confirmed by human researchers. ANGLE, which translates OpenGL ES calls to hardware APIs, is widely used in GPU-accelerated features like WebGL and Canvas. Improper memory handling could lead to memory corruption or execution of malicious code.
Chrome Stable version 139.0.7258.154/155 for Windows, macOS, and Linux addresses the vulnerability. While no exploitation has been observed in the wild, users should update immediately. Other Chromium-based browsers such as Edge, Brave, and Vivaldi are expected to release similar updates.
WhatsApp has released updates to fix CVE-2025-55177, a security flaw in its iOS and Mac apps that may have been used in real-world attacks alongside a recent Apple zero-day (CVE-2025-43300).
The vulnerability happens because WhatsApp did not fully check permissions for messages sent to linked devices. This could let an attacker send content from a web link that the target device would automatically process.
Affected versions:
- WhatsApp for iOS before 2.25.21.73 (fixed July 28, 2025)
- WhatsApp Business for iOS 2.25.21.78 (fixed August 4, 2025)
- WhatsApp for Mac 2.25.21.78 (fixed August 4, 2025)
This flaw may have been combined with Apple’s CVE-2025-43300 bug, which involves a dangerous image-processing error, to create ‘zero-click’ attacks, meaning the target does not need to click anything to be affected. Early reports suggest both iPhone and Android users, including journalists and human rights defenders, were targeted.
WhatsApp has alerted users who might have been affected and recommends updating the app and operating system, and performing a full device reset if targeted. The attackers behind these attacks are not yet known.
WinRAR has released version 7.13 Final (July 30, 2025; notes updated August 12, 2025) to address a critical directory traversal vulnerability (CVE-2025-8088) affecting Windows builds of WinRAR, UnRAR, and related components.
The flaw allows specially crafted archive files to bypass the chosen extraction path and write files to unintended locations on the system, creating opportunities for attackers to place malicious files where users would not expect them. This issue is separate from the vulnerability patched in version 7.12 and requires urgent action.
Affected components:
- WinRAR (Windows)
- RAR and UnRAR (Windows)
- UnRAR.dll and portable UnRAR (Windows)
Linux/Unix builds and RAR for Android are not affected. The issue was reported by researchers at ESET, who also documented its use in targeted attacks against companies in Europe and Canada. Alongside this fix, WinRAR 7.13 also resolves several bugs from version 7.12, including issues with importing settings and recovery sizes in compression profiles.
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
Google Chrome – Chrome Releases
WhatsApp – CVE-2025-55177 Detail
WinRar – RARLAB Release Notes
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.