Date Issued: July16, 2025
Severity: High (CVSS 8.8)
Affected Software: Google Chrome (prior to version 138.0.7204.157)
Exploitation Status: Exploited in the wild
Google has released an urgent security update addressing six vulnerabilities in the Chrome browser, including a high-severity zero-day vulnerability (CVE-2025-6558) that is actively being exploited in the wild.
This flaw stems from insufficient validation of untrusted input in Chrome’s ANGLE and GPU components, potentially allowing a remote attacker to escape the browser sandbox via a specially crafted HTML page.
Technical Details
- Vulnerability ID: CVE-2025-6558
- Component: ANGLE (Almost Native Graphics Layer Engine) / GPU
- Impact: Sandbox escape
- CVSS Score: 8.8 (High)
- Attack Vector: Remote (via malicious web content)
- Risk: Allows attackers to break out of Chrome’s security sandbox and potentially interact with the underlying system.
ANGLE acts as abridge between Chrome’s rendering engine and device-specific graphics drivers. Exploiting flaws in this layer can enable attackers to by pass GPU-level isolation, a rare but powerful method for deeper system compromise.
Threat Landscape
- Exploitation: Confirmed in the wild
- Attack Scenario: A user visiting a malicious website could unknowingly trigger the exploit, leading to a silent compromise.
- Attribution: While not confirmed, the involvement of Google TAG suggests potential nation-state targeting.
Mitigation & Recommendations
Update Immediately:
- Windows/macOS: Update to Chrome version 138.0.7204.157 or .158
- Linux: Update to version 138.0.7204.157
To update:
1. Open Chrome
2. Go to Menu > Help > About Google Chrome
3. Chrome will auto-check for updates and prompt a Relaunch
For Enterprise and IT Administrators:
- Push Chrome updates organization-wide via group policy or software management tools
- Monitor for unusual GPU-related or browser sandbox activity in endpoint logs
- Check for updates to other Chromium-based browsers (Edge, Brave, Vivaldi, etc.)
- Conduct awareness training on watering-hole and drive-by download threats
Chrome Releases: Stable Channel Update for Desktop
.png)
.png)