Google has just released a new security update for Chrome, addressing a total of six vulnerabilities. The most concerning among them, identified as CVE-2025-6558, was already being actively exploited by attackers.
This flaw was discovered by Google’s Threat Analysis Group (TAG) on June 23 and has been rated as high severity, scoring 8.8 out of 10 on the CVSS scale. Why? Because it allowed attackers to escape Chrome’s sandbox—one of the browser’s primary layers of defense.
The issue stems from improper validation of untrusted input in components like ANGLE and the GPU, affecting versions prior to 138.0.7204.157. An attacker could exploit this weakness by crafting a specially designed HTML page that executes code outside the browser’s secure environment.
In short: if you use Chrome and haven’t updated it yet, now is the time. This vulnerability could allow an attacker to access your system simply by visiting a malicious website.
ANGLE (Almost Native Graphics Layer Engine) is an open-source technology used by Chrome to handle graphics. Essentially, it acts as a translation layer that converts OpenGL ES instructions into other APIs like Direct3D, Metal, Vulkan, or OpenGL, depending on the operating system.
The issue lies in the fact that ANGLE processes graphic commands coming from websites (such as those using WebGL), meaning it receives data directly from external and potentially untrustworthy sources. And when a critical component like this has flaws, the consequences can be serious.
The CVE-2025-6558 flaw allows a remote attacker to create a specially crafted HTML page to execute malicious code directly within the browser’s GPU process. That alone is a risk, but what’s truly alarming is its potential to be used to escape Chrome’s sandbox.
Put simply, this means an attacker could break through the browser’s security bubble and potentially gain access to deeper parts of the operating system—something no user wants to happen.
As is often the case with serious vulnerabilities that are already being actively exploited, Google has chosen not to disclose full technical details until a large portion of users have updated their browsers.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” the company explained in its security bulletin.
They also warned that if the issue affects third-party libraries (which could be used by other browsers or projects), they will continue to restrict access to technical information until those are patched as well.
The sandbox is one of the most important mechanisms Chrome uses to protect users. It works like a kind of safety box: each website you visit runs in an isolated environment, separate from the operating system. This prevents a compromised site from affecting your computer or directly stealing information.
When a vulnerability like CVE-2025-6558 allows that isolation to be broken, the security of the entire system is at risk.
The good news is that Google has already released a patch to fix this issue, available in Chrome versions 138.0.7204.157 and .158 (depending on your operating system).
Open a new tab and type: chrome://settings/help
Chrome will automatically check for available updates.
If a new version appears, allow it to download.
Restart the browser to complete the installation.
This process only takes a few minutes and is crucial to keeping your system protected against this and other potential threats.
Read more: What is patch management?
Google Chrome’s latest security update not only fixes the critical vulnerability CVE-2025-6558, which is already being actively exploited, but also includes patches for five additional flaws.
Among them is CVE-2025-7656, a high-severity vulnerability in the V8 engine (Chrome’s JavaScript engine), and CVE-2025-7657, a use-after-free issue in WebRTC. Fortunately, none of these five cases have been detected in real-world attacks so far, but addressing them promptly helps prevent future exploitation.
With this new update, CVE-2025-6558 becomes the fifth actively exploited vulnerability Google has had to patch so far this year. The pace of discovery and exploitation shows that attackers are more active than ever, and that Chrome (while secure) is not immune to emerging threats.
March: Google patched CVE-2025-2783, a serious sandbox escape flaw discovered by Kaspersky researchers. This vulnerability was used in espionage attacks targeting government agencies and media outlets in Russia. In this case, attackers managed to deliver sophisticated malware after bypassing the browser’s defenses.
May: CVE-2025-4664, another zero-day vulnerability, was addressed. It allowed attackers to hijack user accounts. The potential impact was significant, especially when combined with social engineering or phishing techniques.
June: CVE-2025-5419, a critical out-of-bounds read/write flaw in the V8 engine, was resolved. It was reported by Benoît Sevens and Clément Lecigne from Google’s Threat Analysis Group (TAG).
Early July: CVE-2025-6554, another critical V8 engine vulnerability, was patched. It was discovered by researchers from the GTAG group, part of Google’s security ecosystem.
While the number of vulnerabilities in a single year might seem alarming, what truly matters is Google’s proactive approach. The Chrome team is continuously fixing flaws before they can cause widespread harm.
The fact that only five of these vulnerabilities have been actively exploited also highlights the effectiveness of detection programs, responsible disclosure, and rapid patching. Still, the message is clear: keeping your browser updated is essential to your digital security.