Google has launched a security replace for Chrome to handle half a dozen vulnerabilities, considered one of them actively exploited by attackers to flee the browser’s sandbox safety.
The vulnerability is recognized as CVE-2025-6558 and acquired a high-severity score of 8.8. It was found by researchers at Google’s Menace Evaluation Group (TAG) on June 23.
The security difficulty is described as an inadequate validation of untrusted enter in ANGLE and GPU that impacts Google Chrome variations earlier than 138.0.7204.157. An attacker efficiently exploiting it may carry out a sandbox escape by utilizing a specifically crafted HTML web page.
ANGLE (Virtually Native Graphics Layer Engine) is an open-source graphics abstraction layer utilized by Chrome to translate OpenGL ES API calls to Direct3D, Steel, Vulkan, and OpenGL.
As a result of ANGLE processes GPU instructions from untrusted sources like web sites utilizing WebGL, bugs on this part can have a crucial security influence.
The vulnerability permits a distant attacker utilizing a specifically crafted HTML web page to execute arbitrary code throughout the browser’s GPU course of. Google has not supplied the technical particulars on how triggering the difficulty may result in escaping the browser’s sandbox.
“Entry to bug particulars and hyperlinks could also be stored restricted till a majority of customers are up to date with a repair,” states Google within the security bulletin.
“We may also retain restrictions if the bug exists in a third-party library that different tasks equally rely on, however haven’t but mounted.”
Chrome sandbox part is a core security mechanism that isolates browser processes from the underlying working system, thus stopping malware from spreading outdoors the online browser to compromise the system.
Given the excessive danger and lively exploitation standing of CVE-2025-6558, Chrome customers are suggested to replace as quickly as potential to model 138.0.7204.157/.158, relying on their working system.
You are able to do this by navigating to chrome://settings/assist and permitting the replace test to complete. Updates shall be utilized efficiently after restarting the online browser.
The present Chrome security replace comprises fixes for 5 extra vulnerabilities, together with a high-severity flaw within the V8 engine tracked as CVE-2025-7656, and a use-after-free difficulty in WebRTC tracked below CVE-2025-7657. None of those 5 have been highlighted as actively exploited.
CVE-2025-6558 is the fifth actively exploited flaw found and glued in Chrome browser for the reason that starting of the 12 months.
In March, Google patched a high-severity sandbox escape flaw, CVE-2025-2783, found by Kaspersky researchers. The vulnerability had been exploited in focused espionage assaults in opposition to Russian authorities businesses and media organizations, delivering malware.
Two months later, in Might, Google issued one other replace to repair CVE-2025-4664, a zero-day vulnerability in Chrome that allowed attackers to hijack consumer accounts.
In June, the corporate addressed yet one more extreme difficulty, CVE-2025-5419, an out-of-bounds learn/write vulnerability in Chrome’s V8 JavaScript engine, reported by Google TAG’s Benoît Sevens and Clément Lecigne.
Earlier this month, Google mounted the fourth zero-day flaw in Chrome, CVE-2025-6554, additionally within the V8 engine, that was found by GTAG researchers.
Whereas cloud assaults could also be rising extra subtle, attackers nonetheless succeed with surprisingly easy methods.
Drawing from Wiz’s detections throughout 1000’s of organizations, this report reveals 8 key methods utilized by cloud-fluent risk actors.
