Google announced a critical security update for its Chrome browser that addresses six vulnerabilities, including the high-risk CVE-2025-6558 (CVSS score: 8.8) currently being actively exploited in Chrome's ANGLE and GPU components.

How does this Chrome vulnerability work?

According to National Vulnerability Database (NVD) disclosures, the flaw stems from insufficient validation of untrusted inputs within the ANGLE and GPU modules. ANGLE (Almost Native Graphics Layer Engine) serves as a crucial layer in Chrome that translates graphics commands for execution across different systems including Direct3D, Vulkan, Metal, and OpenGL.

Attackers could exploit this vulnerability by crafting malicious HTML pages to escape Chrome's sandbox - a protective barrier designed to contain malicious code within the browser and prevent system-wide damage.

The zero-day vulnerability was discovered on June 23, 2025 by Clément Lecigne and Vlad Stolyarov from Google's Threat Analysis Group (TAG), a team renowned for tracking targeted cyber attacks. Google officially confirmed "awareness of exploitation in the wild" for CVE-2025-6558.

Chrome Update Instructions

Given the severity of CVE-2025-6558 and confirmed active exploitation, users are urged to update Chrome immediately. The patched versions include 138.0.7204.157/.158 for Windows/macOS and 138.0.7204.157 for Linux.

Follow these steps:

1. Launch Chrome
2. Click the menu (⋮) | Help | About Google Chrome
3. If updates are available, click Restart to apply changes

Other Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi may also be affected; users should monitor vendor updates closely.

Not Chrome's First Zero-Day This Year

This marks the fifth Chrome zero-day vulnerability discovered and exploited in 2025. Earlier this year, Google addressed:

• CVE-2025-2783 - sandbox escape used in espionage
• CVE-2025-4664 - account hijacking vulnerability
• CVE-2025-5419 - V8 memory corruption flaw
• CVE-2025-6554 - another V8-related vulnerability

The increasing frequency of these low-level rendering system exploits highlights the growing complexity of browser-based attacks.

Five Additional High-Risk Chrome Vulnerabilities Fixed

Beyond CVE-2025-6558, Google's Chrome update resolved five other critical flaws:

• CVE-2025-7656 - integer overflow in Chrome's JavaScript engine V8 reported by security researcher Shaheen Fazim on June 17
• CVE-2025-7657 - use-after-free vulnerability in Chrome's WebRTC component reported by jakebiles on June 25
• Three internal security fixes identified through fuzzing, audits, and tools like AddressSanitizer and libFuzzer

Google has not confirmed if these five vulnerabilities are currently being actively exploited.