Google has launched a safety replace for Chrome to deal with half a dozen vulnerabilities, considered one of them actively exploited by attackers to flee the browser’s sandbox safety.
The vulnerability is recognized as CVE-2025-6558 and acquired a high-severity score of 8.8. It was found by researchers at Google’s Risk Evaluation Group (TAG) on June 23.
The safety situation is described as an inadequate validation of untrusted enter in ANGLE and GPU that impacts Google Chrome variations earlier than 138.0.7204.157. An attacker efficiently exploiting it might carry out a sandbox escape through the use of a specifically crafted HTML web page.
ANGLE (Virtually Native Graphics Layer Engine) is an open-source graphics abstraction layer utilized by Chrome to translate OpenGL ES API calls to Direct3D, Metallic, Vulkan, and OpenGL.
As a result of ANGLE processes GPU instructions from untrusted sources like web sites utilizing WebGL, bugs on this part can have a important safety impression.
The vulnerability permits a distant attacker utilizing a specifically crafted HTML web page to execute arbitrary code throughout the browser’s GPU course of. Google has not supplied the technical particulars on how triggering the problem might result in escaping the browser’s sandbox.
“Entry to bug particulars and hyperlinks could also be saved restricted till a majority of customers are up to date with a repair,” states Google within the safety bulletin.
“We can even retain restrictions if the bug exists in a third-party library that different initiatives equally rely upon, however haven’t but mounted.”
Chrome sandbox part is a core safety mechanism that isolates browser processes from the underlying working system, thus stopping malware from spreading exterior the net browser to compromise the gadget.
Given the excessive threat and lively exploitation standing of CVE-2025-6558, Chrome customers are suggested to replace as quickly as potential to model 138.0.7204.157/.158, relying on their working system.
You are able to do this by navigating to chrome://settings/assist and permitting the replace examine to complete. Updates might be utilized efficiently after restarting the net browser.
The present Chrome safety replace incorporates fixes for 5 extra vulnerabilities, together with a high-severity flaw within the V8 engine tracked as CVE-2025-7656, and a use-after-free situation in WebRTC tracked underneath CVE-2025-7657. None of those 5 had been highlighted as actively exploited.
CVE-2025-6558 is the fifth actively exploited flaw found and stuck in Chrome browser for the reason that starting of the 12 months.
In March, Google patched a high-severity sandbox escape flaw, CVE-2025-2783, found by Kaspersky researchers. The vulnerability had been exploited in focused espionage assaults in opposition to Russian authorities businesses and media organizations, delivering malware.
Two months later, in Could, Google issued one other replace to repair CVE-2025-4664, a zero-day vulnerability in Chrome that allowed attackers to hijack consumer accounts.
In June, the corporate addressed yet one more extreme situation, CVE-2025-5419, an out-of-bounds learn/write vulnerability in Chrome’s V8 JavaScript engine, reported by Google TAG’s Benoît Sevens and Clément Lecigne.
Earlier this month, Google mounted the fourth zero-day flaw in Chrome, CVE-2025-6554, additionally within the V8 engine, that was found by GTAG researchers.
Whereas cloud assaults could also be rising extra refined, attackers nonetheless succeed with surprisingly easy strategies.
Drawing from Wiz’s detections throughout 1000’s of organizations, this report reveals 8 key strategies utilized by cloud-fluent risk actors.
