Google has launched a safety replace for Chrome to handle half a dozen vulnerabilities, one in all them actively exploited by attackers to flee the browser’s sandbox safety.
The vulnerability is recognized as CVE-2025-6558 and acquired a high-severity score of 8.8. It was found by researchers at Google’s Risk Evaluation Group (TAG) on June 23.
The safety situation is described as an inadequate validation of untrusted enter in ANGLE and GPU that impacts Google Chrome variations earlier than 138.0.7204.157. An attacker efficiently exploiting it might carry out a sandbox escape by utilizing a specifically crafted HTML web page.
ANGLE (Virtually Native Graphics Layer Engine) is an open-source graphics abstraction layer utilized by Chrome to translate OpenGL ES API calls to Direct3D, Metallic, Vulkan, and OpenGL.
As a result of ANGLE processes GPU instructions from untrusted sources like web sites utilizing WebGL, bugs on this part can have a essential safety influence.
The vulnerability permits a distant attacker utilizing a specifically crafted HTML web page to execute arbitrary code throughout the browser’s GPU course of. Google has not supplied the technical particulars on how triggering the problem might result in escaping the browser’s sandbox.
“Entry to bug particulars and hyperlinks could also be stored restricted till a majority of customers are up to date with a repair,” states Google within the safety bulletin.
“We can even retain restrictions if the bug exists in a third-party library that different tasks equally rely upon, however haven’t but fastened.”
Chrome sandbox part is a core safety mechanism that isolates browser processes from the underlying working system, thus stopping malware from spreading outdoors the online browser to compromise the system.
Given the excessive threat and energetic exploitation standing of CVE-2025-6558, Chrome customers are suggested to replace as quickly as doable to model 138.0.7204.157/.158, relying on their working system.
You are able to do this by navigating to chrome://settings/assist and permitting the replace test to complete. Updates will probably be utilized efficiently after restarting the online browser.
The present Chrome safety replace incorporates fixes for 5 extra vulnerabilities, together with a high-severity flaw within the V8 engine tracked as CVE-2025-7656, and a use-after-free situation in WebRTC tracked beneath CVE-2025-7657. None of those 5 had been highlighted as actively exploited.
CVE-2025-6558 is the fifth actively exploited flaw found and glued in Chrome browser for the reason that starting of the yr.
In March, Google patched a high-severity sandbox escape flaw, CVE-2025-2783, found by Kaspersky researchers. The vulnerability had been exploited in focused espionage assaults towards Russian authorities companies and media organizations, delivering malware.
Two months later, in Might, Google issued one other replace to repair CVE-2025-4664, a zero-day vulnerability in Chrome that allowed attackers to hijack person accounts.
In June, the corporate addressed yet one more extreme situation, CVE-2025-5419, an out-of-bounds learn/write vulnerability in Chrome’s V8 JavaScript engine, reported by Google TAG’s Benoît Sevens and Clément Lecigne.
Earlier this month, Google fastened the fourth zero-day flaw in Chrome, CVE-2025-6554, additionally within the V8 engine, that was found by GTAG researchers.
Whereas cloud assaults could also be rising extra refined, attackers nonetheless succeed with surprisingly easy methods.
Drawing from Wiz’s detections throughout hundreds of organizations, this report reveals 8 key methods utilized by cloud-fluent risk actors.
