Google has launched a safety replace for Chrome to deal with half a dozen vulnerabilities, certainly one of them actively exploited by attackers to flee the browser’s sandbox safety.
The vulnerability is recognized as CVE-2025-6558 and obtained a high-severity score of 8.8. It was found by researchers at Google’s Menace Evaluation Group (TAG) on June 23.
The safety situation is described as an inadequate validation of untrusted enter in ANGLE and GPU that impacts Google Chrome variations earlier than 138.0.7204.157. An attacker efficiently exploiting it may carry out a sandbox escape through the use of a specifically crafted HTML web page.
ANGLE (Virtually Native Graphics Layer Engine) is an open-source graphics abstraction layer utilized by Chrome to translate OpenGL ES API calls to Direct3D, Steel, Vulkan, and OpenGL.
As a result of ANGLE processes GPU instructions from untrusted sources like web sites utilizing WebGL, bugs on this element can have a crucial safety impression.
The vulnerability permits a distant attacker utilizing a specifically crafted HTML web page to execute arbitrary code throughout the browser’s GPU course of. Google has not offered the technical particulars on how triggering the problem may result in escaping the browser’s sandbox.
“Entry to bug particulars and hyperlinks could also be stored restricted till a majority of customers are up to date with a repair,” states Google within the safety bulletin.
“We will even retain restrictions if the bug exists in a third-party library that different tasks equally rely upon, however haven’t but fastened.”
Chrome sandbox element is a core safety mechanism that isolates browser processes from the underlying working system, thus stopping malware from spreading outdoors the online browser to compromise the machine.
Given the excessive danger and energetic exploitation standing of CVE-2025-6558, Chrome customers are suggested to replace as quickly as doable to model 138.0.7204.157/.158, relying on their working system.
You are able to do this by navigating to chrome://settings/assist and permitting the replace examine to complete. Updates shall be utilized efficiently after restarting the online browser.
The present Chrome safety replace accommodates fixes for 5 extra vulnerabilities, together with a high-severity flaw within the V8 engine tracked as CVE-2025-7656, and a use-after-free situation in WebRTC tracked below CVE-2025-7657. None of those 5 had been highlighted as actively exploited.
CVE-2025-6558 is the fifth actively exploited flaw found and glued in Chrome browser because the starting of the yr.
In March, Google patched a high-severity sandbox escape flaw, CVE-2025-2783, found by Kaspersky researchers. The vulnerability had been exploited in focused espionage assaults towards Russian authorities companies and media organizations, delivering malware.
Two months later, in Could, Google issued one other replace to repair CVE-2025-4664, a zero-day vulnerability in Chrome that allowed attackers to hijack person accounts.
In June, the corporate addressed yet one more extreme situation, CVE-2025-5419, an out-of-bounds learn/write vulnerability in Chrome’s V8 JavaScript engine, reported by Google TAG’s Benoît Sevens and Clément Lecigne.
Earlier this month, Google fastened the fourth zero-day flaw in Chrome, CVE-2025-6554, additionally within the V8 engine, that was found by GTAG researchers.
Whereas cloud assaults could also be rising extra subtle, attackers nonetheless succeed with surprisingly easy methods.
Drawing from Wiz’s detections throughout hundreds of organizations, this report reveals 8 key methods utilized by cloud-fluent menace actors.
