Google on Tuesday rolled out fixes for six safety points in its Chrome internet browser, together with one which it mentioned has been exploited within the wild.
The high-severity vulnerability in query is CVE-2025-6558 (CVSS rating: 8.8), which has been described as an incorrect validation of untrusted enter within the browser’s ANGLE and GPU elements.
“Inadequate validation of untrusted enter in ANGLE and GPU in Google Chrome previous to 138.0.7204.157 allowed a distant attacker to doubtlessly carry out a sandbox escape through a crafted HTML web page,” based on the description of the flaw from the NIST’s Nationwide Vulnerability Database (NVD).
ANGLE, quick for “Nearly Native Graphics Layer Engine,” acts as a translation layer between Chrome’s rendering engine and device-specific graphics drivers. Vulnerabilities within the module can let attackers escape Chrome’s sandbox by abusing low-level GPU operations that browsers normally hold remoted, making this a uncommon however highly effective path to deeper system entry.
For many customers, a sandbox escape like which means visiting a malicious web site is enough to doubtlessly get away of the browser’s safety bubble and work together with the underlying system. That is particularly important in focused assaults the place simply opening a webpage might set off a silent compromise with out requiring any obtain or click on.
Clément Lecigne and Vlad Stolyarov of Google’s Risk Evaluation Group (TAG) have been credited with discovering and reporting the zero-day vulnerability on June 23, 2025.
The precise nature of the assaults weaponizing the flaw has not been disclosed, however Google acknowledged that an “exploit for CVE-2025-6558 exists within the wild.” That mentioned, the invention by TAG alludes to the opportunity of nation-state involvement.
The event comes about two weeks after Google addressed one other actively exploited Chrome zero-day (CVE-2025-6554, CVSS rating: 8.1), which was additionally reported by Lecigne on June 25, 2025.
Google has resolved a complete of 5 zero-day vulnerabilities in Chrome which have been both actively exploited or demonstrated as a proof-of-concept (PoC) for the reason that begin of the yr. This consists of: CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, and CVE-2025-6554.
To safeguard in opposition to potential threats, it is suggested to replace their Chrome browser to variations 138.0.7204.157/.158 for Home windows and Apple macOS, and 138.0.7204.157 for Linux. To ensure the most recent updates are put in, customers can navigate to Extra > Assist > About Google Chrome, and choose Relaunch.
Customers of different Chromium-based browsers akin to Microsoft Edge, Courageous, Opera, and Vivaldi are additionally suggested to use the fixes as and once they develop into out there.
Points like this usually fall beneath broader classes like GPU sandbox escapes, shader-related bugs, or WebGL vulnerabilities. Whereas not at all times headline-grabbing, they have an inclination to resurface in chained exploits or focused assaults. In case you comply with Chrome safety updates, it is value preserving an eye fixed out for graphics driver flaws, privilege boundary bypasses, and reminiscence corruption in rendering paths, as they usually level to the subsequent spherical of patch-worthy bugs.
