Google has released fixes for six vulnerabilities in the Chrome browser. One of these vulnerabilities was already being exploited in real attacks to bypass the browser’s sandbox.
The vulnerability CVE-2025-6558 (scoring 8.8 on the CVSS scale), discovered by Google Threat Analysis Group (TAG) specialists Clément Lecigne and Vlad Stolyarov, is associated with inadequate validation of untrusted input in the ANGLE and GPU components of the browser.
“Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome versions prior to 138.0.7204.157 potentially allowed a remote attacker to escape the sandbox through a specially crafted HTML page,” reads the vulnerability description in the NIST NVD.
The open-source ANGLE (Almost Native Graphics Layer Engine) serves as a layer between Chrome’s rendering engine and the graphics drivers of specific devices. It is used to translate OpenGL ES API calls into Direct3D, Metal, Vulkan, and OpenGL.
Since ANGLE processes commands for the GPU from untrusted sources (such as sites using WebGL), issues in this component can seriously impact security. Vulnerabilities in this module can allow attackers to escape the browser sandbox by using low-level GPU operations that are usually isolated.
In fact, the user only needs to visit a malicious site for attackers to gain the ability to escape the browser’s sandbox and interact with the underlying OS.
Google has not disclosed exactly how the vulnerability was used in attacks or who might have been behind them. The company only specified that a working exploit exists for CVE-2025-6558.
However, it is worth noting that Google TAG specializes in protecting the company’s clients from the activities of “government” hackers, targeted attacks, and other advanced threats. Due to this, the TAG team often discovers 0-day exploits used by APT for targeted attacks or for infecting the devices of politicians, dissidents, and journalists with spyware.
Given the severity of CVE-2025-6558 and the fact that it has already been exploited in attacks, Chrome users are advised to update to version 138.0.7204.157 or .158 (depending on the operating system) as soon as possible.
As mentioned above, in addition to CVE-2025-6558, Chrome also addressed five other vulnerabilities, including a serious issue in the V8 engine (CVE-2025-7656), as well as a use-after-free bug in WebRTC (CVE-2025-7657).
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers
Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →