Google has recently released updates to address six security issues in its Chrome browser, highlighting a critical vulnerability classified as CVE-2025-6558, which has already been exploited in the wild. This high-severity flaw has a CVSS score of 8.8 and is related to improper validation of untrusted inputs in Chrome’s ANGLE and GPU components.
A critical browser vulnerability
The vulnerability allows a remote attacker to bypass the browser’s security restrictions through a malicious HTML page. This could compromise systems without the need for users to perform downloads or additional interactions. The vulnerability was discovered by Clément Lecigne and Vlad Stolyarov from Google’s Threat Analysis Group on June 23, 2025, and is considered a particular risk, as it could result in a sandbox escape, granting access to low-level operations and potentially to the user’s systems.
Although Google has not revealed the exact nature of the attacks that exploit this vulnerability, it is acknowledged that an “exploit for CVE-2025-6558 exists in the wild,” suggesting the possibility of involvement from state actors. This announcement comes shortly after Google addressed another Chrome vulnerability (CVE-2025-6554) that also had a high potential for exploitation.
Since the beginning of the year, Google has fixed five critical vulnerabilities in Chrome that have been actively exploited or have been demonstrated as proof of concept. To protect against potential threats, users are advised to update their Chrome browser to versions 138.0.7204.157 and 138.0.7204.158 for Windows and macOS, and 138.0.7204.157 for Linux. Users of other Chromium-based browsers, such as Microsoft Edge and Brave, should also apply the available patches.
