CVE-2025-14174 : Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. What is the impact of this CVE on CA PAM.

All supported versions of CA PAM

Symantec PAM client utilizes JxBrowser (which is built on Chromium) to render web sessions. CVE-2025-14174, has been identified within the ANGLE graphics layer used by Chromium-based applications. This vulnerability is platform-specific and only affects users operating on macOS.

PAM Users on Windows or Linux are not at risk, even if they are using a version of JxBrowser/Chromium that technically contains the unpatched code.

The vulnerability resides in a component called ANGLE (Almost Native Graphics Layer Engine). ANGLE’s job is to translate browser graphics calls into the specific language the computer’s hardware understands.

• On macOS, ANGLE translates these calls to Metal (Apple’s proprietary graphics API).
   
• On Windows, ANGLE translates them to Direct3D (D3D11 or D3D9).
   
• On Linux, ANGLE typically uses Vulkan or OpenGL.
   

Because the out-of-bounds memory error is located specifically within the Metal-related code paths, it simply cannot be triggered on Windows or Linux systems because those code paths are never executed.

Additionally, the issue requires an end user to navigate to an attacker controlled, malicious site. With the PAM client not being a general purpose browser and typically limiting access to PAM servers and a curated list of approved external sites via the web portal access method, real-world risk to our customers is significantly lower than that of a general-purpose web browser (like Chrome or Safari).

Urgent Security Advisory and Remediation for PAM Users: Addressing CVE-2025-14174

This advisory details the necessary steps to mitigate a critical security vulnerability, CVE-2025-14174, related to the embedded Chromium component within JxBrowser, specifically impacting users on macOS.The Vulnerability and Initial Mitigation

A hotfix has been immediately released to update the Chromium code within JxBrowser to specifically address and mitigate this vulnerability for users operating on macOS.

Crucially, while this PAM hotfix is available, the most comprehensive action for macOS security remains the operating system update. Apple has proactively issued security patches across its platforms to address the underlying vulnerability. It is strongly recommended that all organizations run the standard software update process on their macOS devices as soon as possible to ensure the highest level of protection.Action Required for CA PAM Customers

The vulnerability has been identified in older versions of the embedded Chromium component present in several versions of CA PAM. PAM versions 4.2.0, 4.2.1, 4.2.2, and 4.2.3 contain an older version of Chromium for which the direct fix for CVE-2025-14174 is not available via a simple patch.

To resolve this critical vulnerability, customers running these older versions must take the following action:

1. Upgrade the Base PAM Version: Customers must first upgrade their CA PAM environment to a supported version that is capable of accepting the necessary security hotfix. The recommended upgrade paths are to either PAM version 4.2.4 or PAM version 4.3.
2. Apply the Specific Hotfix: Once the base PAM version is upgraded, the corresponding security hotfix must be applied to introduce the patched Chromium code and fully mitigate the vulnerability.

Required Hotfix Patches by Version

In summary, all PAM customers should review their current version immediately and follow the upgrade and hotfix application process outlined above to ensure continuous security and compliance.