Google has released a critical security update for its Chrome browser to fix a serious vulnerability known as CVE-2025-6558, which is currently being actively exploited by attackers online. The issue affects Chrome’s ANGLE and GPU components, allowing remote attackers to break out of the browser’s secure sandbox environment.
This zero-day vulnerability, rated high severity with a CVSS score of 8.8, can allow an attacker to run code on the victim’s system simply by making them visit a maliciously crafted HTML webpage. In simpler terms, opening the wrong website could give hackers unauthorized access to your computer.
The flaw was found in ANGLE, which stands for Almost Native Graphics Layer Engine. This part of Chrome helps the browser communicate with your device’s graphics drivers. It plays a key role in rendering graphics and animations on websites. However, in this case, Google discovered that it was not properly validating untrusted inputs, meaning attackers could manipulate it to escape Chrome’s secure environment.
According to the National Vulnerability Database (NVD), this vulnerability allowed remote attackers to perform a sandbox escape — a type of attack where hackers break out of the browser’s isolation layer and potentially execute harmful commands directly on the host system.
Google’s Threat Analysis Group (TAG), a team that monitors cyber threats including those from nation-states, reported that this vulnerability has already been used in real-world attacks. Security researchers Clément Lecigne and Vlad Stolyarov discovered the flaw and reported it to Google on June 23, 2025.
While Google has not shared detailed information about how the vulnerability is being exploited, the involvement of TAG suggests the attack may be part of state-sponsored or advanced targeted campaigns.
Such vulnerabilities are extremely dangerous because they require no user interaction beyond visiting a compromised webpage. No downloads, no pop-ups, and no clicks — just opening a page could allow a hacker to gain control of your device.
CVE-2025-6558 is not the only Chrome vulnerability discovered this year. Google has already fixed five critical Chrome zero-day vulnerabilities in 2025, including:
-
CVE-2025-2783
-
CVE-2025-4664
-
CVE-2025-5419
-
CVE-2025-6554
-
CVE-2025-6558 (the latest)
Interestingly, another Chrome zero-day — CVE-2025-6554 — was also reported by Clément Lecigne just two days after CVE-2025-6558. This highlights the intense focus cybercriminals currently have on browser-based attacks, especially on graphics processing (GPU) and sandbox bypass techniques.
This security flaw affects all major platforms that support Chrome, including:
-
Windows
-
macOS
-
Linux
Users of Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi are also potentially at risk. These browsers share Chrome’s core engine and often inherit the same vulnerabilities. It’s important for users of these browsers to check for security updates regularly and apply them as soon as they are available.
To protect yourself, it’s important to update your Chrome browser immediately. The patched versions are:
138.0.7204.157/.158 for Windows and macOS
138.0.7204.157 for Linux
You can check your version and update Chrome by following these steps:
Open Chrome.
Click on the three-dot menu in the top-right corner.
Go to Help > About Google Chrome.
Chrome will automatically check for updates.
Click Relaunch to complete the update.
By doing this, you ensure that you are protected against CVE-2025-6558 and other recent threats.
Vulnerabilities in GPU components like ANGLE are often overlooked but can be extremely powerful. They are especially attractive to attackers who want to chain multiple bugs together for privilege escalation or remote code execution.
Security researchers advise keeping a close eye on:
GPU sandbox escapes
Shader bugs and WebGL flaws
Memory corruption issues in rendering engines
Even though these issues may not make headlines every day, they often become part of larger cyberattack chains, particularly in espionage and targeted intrusion campaigns.
Google’s quick response and patch for CVE-2025-6558 show the importance of staying up-to-date with browser security updates. In today’s digital world, even something as simple as opening a web page can expose you to serious cyber risks.
Make sure your browser is updated today, and spread the word to others who may not realize the dangers of unpatched software. With attackers actively exploiting this flaw, every second counts.
Interesting Article : AMD Warns of TSA Side-Channel Attacks Impacting Ryzen and EPYC CPUs
Pingback: CVE-2025-53770: SharePoint Zero-Day Exploited in Ongoing Attacks, Patch Released