Chrome Addresses Sandbox Escape Vulnerability Already Exploited in Attacks

📟 News

Date: 21/07/2025

Google has released fixes for six vulnerabilities in the Chrome browser. One of these vulnerabilities was already being exploited in real attacks to bypass the browser’s sandbox.

The vulnerability CVE-2025-6558 (scoring 8.8 on the CVSS scale), discovered by Google Threat Analysis Group (TAG) specialists Clément Lecigne and Vlad Stolyarov, is associated with inadequate validation of untrusted input in the ANGLE and GPU components of the browser.

“Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome versions prior to 138.0.7204.157 potentially allowed a remote attacker to escape the sandbox through a specially crafted HTML page,” reads the vulnerability description in the NIST NVD.

The open-source ANGLE (Almost Native Graphics Layer Engine) serves as a layer between Chrome’s rendering engine and the graphics drivers of specific devices. It is used to translate OpenGL ES API calls into Direct3D, Metal, Vulkan, and OpenGL.

Since ANGLE processes commands for the GPU from untrusted sources (such as sites using WebGL), issues in this component can seriously impact security. Vulnerabilities in this module can allow attackers to escape the browser sandbox by using low-level GPU operations that are usually isolated.

In fact, the user only needs to visit a malicious site for attackers to gain the ability to escape the browser’s sandbox and interact with the underlying OS.

Google has not disclosed exactly how the vulnerability was used in attacks or who might have been behind them. The company only specified that a working exploit exists for CVE-2025-6558.

However, it is worth noting that Google TAG specializes in protecting the company’s clients from the activities of “government” hackers, targeted attacks, and other advanced threats. Due to this, the TAG team often discovers 0-day exploits used by APT for targeted attacks or for infecting the devices of politicians, dissidents, and journalists with spyware.

Given the severity of CVE-2025-6558 and the fact that it has already been exploited in attacks, Chrome users are advised to update to version 138.0.7204.157 or .158 (depending on the operating system) as soon as possible.

As mentioned above, in addition to CVE-2025-6558, Chrome also addressed five other vulnerabilities, including a serious issue in the V8 engine (CVE-2025-7656), as well as a use-after-free bug in WebRTC (CVE-2025-7657).

Related posts:
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024

According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…

Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud

ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…

Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet

All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…

Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems

The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…

Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched

Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…

Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress

According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…

Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals

Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…

Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts

Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…

Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer

Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…

Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails

The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…

Full article →