Google has released a critical security update for its Chrome web browser, patching six vulnerabilities. The most alarming of the bunch is CVE-2025-6558, a high-severity bug (CVSS score: 8.8) found in Chrome’s ANGLE and GPU components that is being actively exploited in the wild.
How does this Chrome bug work?
According to the National Vulnerability Database (NVD), the bug stems from insufficient validation of untrusted input in ANGLE and GPU modules. ANGLE (Almost Native Graphics Layer Engine) is a key layer in Chrome that translates graphics commands to work across various systems, including Direct3D, Vulkan, Metal, and OpenGL.
By creating a malicious HTML page, an attacker could exploit this vulnerability to escape Chrome’s sandbox, a protective barrier designed to keep malicious code locked inside the browser and away from the rest of your computer.
The zero-day flaw was discovered on June 23, 2025, by Clément Lecigne and Vlad Stolyarov from Google’s Threat Analysis Group (TAG), a team known for tracking targeted cyberattacks. Google confirmed in its official release that it is “aware that an exploit for CVE-2025-6558 exists in the wild.”
How to update Chrome
Given the severity of the CVE-2025-6558 flaw and its confirmed exploitation, users are strongly advised to immediately update Chrome. The patched versions are 138.0.7204.157/.158 for Windows and macOS and 138.0.7204.157 for Linux.
Follow these steps:
- Open Chrome.
- Click the three-dot menu (⋮) | Help | About Google Chrome.
- If an update is available, click Relaunch to apply it.
Other Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi may also be affected; users should watch for updates from those vendors.
Not the first Chrome zero-day this year
This is the fifth zero-day vulnerability in Chrome to be discovered and exploited in 2025. Earlier this year, Google patched:
- CVE-2025-2783, a sandbox escape used in espionage operations.
- CVE-2025-4664, used for account hijacking.
- CVE-2025-5419, a V8 memory corruption bug.
- CVE-2025-6554, another V8-related flaw.
The rapid emergence of these flaws highlights how browser-based attacks, particularly those exploiting low-level rendering systems, are becoming more frequent and sophisticated.
More Google coverage
- New Google Search AI Mode is ‘Total Reimagining,’ Says CEO Sundar Pichai
- In Major Ruling, Judge Finds Google ‘Willfully Acquired and Maintained Monopoly Power’ Over Digital Ad Market
- Google’s Big Bet on Nuclear Energy: ‘The Race to Power AI-Driven Data Centers is Accelerating’
- Computer History Museum Releases Original AlexNet Code: Why It Matters
Five other high-risk Chrome bugs were patched
Alongside CVE-2025-6558, Google addressed five additional vulnerabilities in this Chrome update. These bugs include:
- CVE-2025-7656, an integer overflow in Chrome’s JavaScript engine V8, reported on June 17 by security researcher Shaheen Fazim.
- CVE-2025-7657, a use-after-free bug in Chrome’s WebRTC component, reported on June 25 by jakebiles.
- Three other internal security fixes discovered through fuzzing, audits, and automated tools such as AddressSanitizer and libFuzzer.
Google did not confirm whether these five vulnerabilities are being actively exploited.
Read our comprehensive details about how to protect against cyber threats – before they hit.