Jul 16, 2025Ravie LakshmananBrowser Safety / Zero-Day
Google on Tuesday rolled out fixes for six safety points in its Chrome net browser, together with one which it stated has been exploited within the wild.
The high-severity vulnerability in query is CVE-2025-6558 (CVSS rating: 8.8), which has been described as an incorrect validation of untrusted enter within the browser’s ANGLE and GPU parts.
“Inadequate validation of untrusted enter in ANGLE and GPU in Google Chrome previous to 138.0.7204.157 allowed a distant attacker to probably carry out a sandbox escape by way of a crafted HTML web page,” based on the outline of the flaw from the NIST’s Nationwide Vulnerability Database (NVD).
ANGLE, brief for “Nearly Native Graphics Layer Engine,” acts as a translation layer between Chrome’s rendering engine and device-specific graphics drivers. Vulnerabilities within the module can let attackers escape Chrome’s sandbox by abusing low-level GPU operations that browsers normally maintain remoted, making this a uncommon however highly effective path to deeper system entry.
For many customers, a sandbox escape like because of this visiting a malicious website is enough to probably escape of the browser’s safety bubble and work together with the underlying system. That is particularly essential in focused assaults the place simply opening a webpage may set off a silent compromise with out requiring any obtain or click on.
Clément Lecigne and Vlad Stolyarov of Google’s Risk Evaluation Group (TAG) have been credited with discovering and reporting the zero-day vulnerability on June 23, 2025.
The precise nature of the assaults weaponizing the flaw has not been disclosed, however Google acknowledged that an “exploit for CVE-2025-6558 exists within the wild.” That stated, the invention by TAG alludes to the opportunity of nation-state involvement.
The event comes about two weeks after Google addressed one other actively exploited Chrome zero-day (CVE-2025-6554, CVSS rating: 8.1), which was additionally reported by Lecigne on June 25, 2025.
Google has resolved a complete of 5 zero-day vulnerabilities in Chrome which were both actively exploited or demonstrated as a proof-of-concept (PoC) because the begin of the yr. This contains: CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, and CVE-2025-6554.
To safeguard towards potential threats, it is suggested to replace their Chrome browser to variations 138.0.7204.157/.158 for Home windows and Apple macOS, and 138.0.7204.157 for Linux. To verify the most recent updates are put in, customers can navigate to Extra > Assist > About Google Chrome, and choose Relaunch.
Customers of different Chromium-based browsers resembling Microsoft Edge, Courageous, Opera, and Vivaldi are additionally suggested to use the fixes as and after they turn out to be obtainable.Points like this usually fall below broader classes like GPU sandbox escapes, shader-related bugs, or WebGL vulnerabilities. Whereas not at all times headline-grabbing, they have a tendency to resurface in chained exploits or focused assaults. When you comply with Chrome safety updates, it is price preserving a watch out for graphics driver flaws, privilege boundary bypasses, and reminiscence corruption in rendering paths, as they usually level to the following spherical of patch-worthy bugs.
Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we submit.
