Google has released fixes for six vulnerabilities in the Chrome browser. One of these vulnerabilities was already being exploited in real attacks to bypass the browser’s sandbox.
The vulnerability CVE-2025-6558 (scoring 8.8 on the CVSS scale), discovered by Google Threat Analysis Group (TAG) specialists Clément Lecigne and Vlad Stolyarov, is associated with inadequate validation of untrusted input in the ANGLE and GPU components of the browser.
“Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome versions prior to 138.0.7204.157 potentially allowed a remote attacker to escape the sandbox through a specially crafted HTML page,” reads the vulnerability description in the NIST NVD.
The open-source ANGLE (Almost Native Graphics Layer Engine) serves as a layer between Chrome’s rendering engine and the graphics drivers of specific devices. It is used to translate OpenGL ES API calls into Direct3D, Metal, Vulkan, and OpenGL.
Since ANGLE processes commands for the GPU from untrusted sources (such as sites using WebGL), issues in this component can seriously impact security. Vulnerabilities in this module can allow attackers to escape the browser sandbox by using low-level GPU operations that are usually isolated.
In fact, the user only needs to visit a malicious site for attackers to gain the ability to escape the browser’s sandbox and interact with the underlying OS.
Google has not disclosed exactly how the vulnerability was used in attacks or who might have been behind them. The company only specified that a working exploit exists for CVE-2025-6558.
However, it is worth noting that Google TAG specializes in protecting the company’s clients from the activities of “government” hackers, targeted attacks, and other advanced threats. Due to this, the TAG team often discovers 0-day exploits used by APT for targeted attacks or for infecting the devices of politicians, dissidents, and journalists with spyware.
Given the severity of CVE-2025-6558 and the fact that it has already been exploited in attacks, Chrome users are advised to update to version 138.0.7204.157 or .158 (depending on the operating system) as soon as possible.
As mentioned above, in addition to CVE-2025-6558, Chrome also addressed five other vulnerabilities, including a serious issue in the V8 engine (CVE-2025-7656), as well as a use-after-free bug in WebRTC (CVE-2025-7657).