Google on Tuesday rolled out fixes for six security points in its Chrome net browser, together with one which it stated has been exploited within the wild.
The high-severity vulnerability in query is CVE-2025-6558 (CVSS rating: 8.8), which has been described as an incorrect validation of untrusted enter within the browser’s ANGLE and GPU parts.
“Inadequate validation of untrusted enter in ANGLE and GPU in Google Chrome previous to 138.0.7204.157 allowed a distant attacker to probably carry out a sandbox escape through a crafted HTML web page,” in keeping with the outline of the flaw from the NIST’s Nationwide Vulnerability Database (NVD).
ANGLE, brief for “Virtually Native Graphics Layer Engine,” acts as a translation layer between Chrome’s rendering engine and device-specific graphics drivers. Vulnerabilities within the module can let attackers escape Chrome’s sandbox by abusing low-level GPU operations that browsers often maintain remoted, making this a uncommon however highly effective path to deeper system entry.
For many customers, a sandbox escape like because of this visiting a malicious website is ample to probably escape of the browser’s security bubble and work together with the underlying system. That is particularly crucial in focused assaults the place simply opening a webpage may set off a silent compromise with out requiring any obtain or click on.
Clément Lecigne and Vlad Stolyarov of Google’s Menace Evaluation Group (TAG) have been credited with discovering and reporting the zero-day vulnerability on June 23, 2025.
The precise nature of the assaults weaponizing the flaw has not been disclosed, however Google acknowledged that an “exploit for CVE-2025-6558 exists within the wild.” That stated, the invention by TAG alludes to the potential of nation-state involvement.
The event comes about two weeks after Google addressed one other actively exploited Chrome zero-day (CVE-2025-6554, CVSS rating: 8.1), which was additionally reported by Lecigne on June 25, 2025.
Google has resolved a complete of 5 zero-day vulnerabilities in Chrome which have been both actively exploited or demonstrated as a proof-of-concept (PoC) for the reason that begin of the yr. This contains: CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, and CVE-2025-6554.
To safeguard in opposition to potential threats, it is suggested to replace their Chrome browser to variations 138.0.7204.157/.158 for Home windows and Apple macOS, and 138.0.7204.157 for Linux. To ensure the newest updates are put in, customers can navigate to Extra > Assist > About Google Chrome, and choose Relaunch.
Customers of different Chromium-based browsers resembling Microsoft Edge, Courageous, Opera, and Vivaldi are additionally suggested to use the fixes as and after they turn into accessible.
Points like this typically fall underneath broader classes like GPU sandbox escapes, shader-related bugs, or WebGL vulnerabilities. Whereas not at all times headline-grabbing, they have an inclination to resurface in chained exploits or focused assaults. When you comply with Chrome security updates, it is value retaining a watch out for graphics driver flaws, privilege boundary bypasses, and reminiscence corruption in rendering paths, as they typically level to the following spherical of patch-worthy bugs.
