On Tuesday, Google rolled out fixes for six security issues in the Chrome web browser.
The high-strength vulnerability in question is CVE-2025-6558 (CVSS score: 8.8). This is described as an incorrect verification of browser angles and untrusted input of GPU components.
“Insufficient validation of angles and GPU untrusted input in Google Chrome prior to 138.0.0.7204.157 allowed remote attackers to potentially perform sandbox escapes via created HTML pages,” according to a flaw description in NIST’s National Ulnerability Database (NVD).
Abbreviation for “almost native graphics layer engine” and acts as a translation layer between Chrome’s rendering engine and device-specific graphics drivers. The vulnerability here allows attackers to escape the Chrome sandbox by abusing low-level GPU operations that usually keep the browser quarantining, making it an unusual but powerful path to deeper system access.
Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group (TAG) are acknowledged that they discovered and reported a zero-day vulnerability on June 23, 2025.
The exact nature of the attack that weaponizes the flaws has not been revealed, but Google has admitted that “the abuse of CVE-2025-6558 exists in the wild.” However, the discoveries by the tag imply the possibility of nation-state involvement.
The development took place about two weeks after Google dealt with another actively and actively utilised Chrome Zero-Day (CVE-2025-6554, CVSS score: 8.1), and was also reported by Lecigne on June 25, 2025.
Google resolved a total of five zero-day vulnerabilities in Chrome. These have been demonstrated as active exposure or demonstrated (POC) since the beginning of the year. These include CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, and CVE-2025-6554.
For most users, such sandbox escape means that even if you visit a malicious site, you can still escape the security bubble in your browser and interact with your system. This is especially important for target attacks where simply opening a web page can trigger a silent compromise. No downloads or clicks are required.
To protect against potential threats, we recommend updating to Chrome browser 138.0.7204.157/.158 for Windows and Apple MacOS and version 138.0.7204.157/.158 to Linux. To ensure that the latest updates are installed, users can use Google Chrome >[ヘルプ]>[ヘルプ]You can navigate to and select Renewal.
It is also recommended that users of other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi also apply the fix when it becomes available.
Such issues often lie in a broader category, such as GPU sandbox escape, shader-related bugs, or WebGL vulnerabilities. They don’t always grab headlines, but they tend to resurface with chained exploits or targeted attacks. If you are following Chrome Security Updates, it is worth watching for terms like graphic driver flaws, privileged boundary bypass, memory corruption in rendering paths, and more.
Source link
