Skip to content

Actively exploited Chrome zero-day gets patched

  • by
  • 3 min read

Google has released a security update patching six security vulnerabilities in Chrome, including one actively exploited by hackers to bypass the browser’s sandbox protections. The search giant didn’t explain the severity of the exploitation, but confirmed it knew an exploit exists.

The vulnerability, tracked as CVE-2025-6558 with a CVSS score of 8.8, was reported by security researchers Clément Lecigne and Vlad Stolyarov from Google’s Threat Analysis Group (TAG). It’s an insufficient validation of untrusted input in ANGLE and GPU, affecting Chrome versions 138.0.7204.157 and older.

ANGLE, or Almost Native Graphics Layer Engine, is an open-source graphics library used by Chrome to translate OpenGL ES API calls sent by websites to Direct3D, Metal, Vulkan, and OpenGL components that can be rendered in the browser. Since ANGLE processes GPU commands from untrusted sources, in this case, a specially crafted HTML page, a bug in the library can expose the browser environment to external access.

Photo: in green / shutterstock. Com
Photo: In Green / Shutterstock.com

Successful exploitation can let a hacker get out of the browser’s sandbox environment using a maliciously crafted HTML page and run malicious code in the browser’s GPU process. As is usually the case, Google hasn’t revealed technical details on the vulnerability in its security bulletin. The search giant states that “access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”

None of the other five security issues have been exploited so far. Two more high-severity bugs were quashed in the update. These include:

  • CVE-2025-7657: Use-after-free bug in WebRTC
  • CVE-2025-7656: Integer overflow bug in the V8 engine. The bug was reported by Shaheen Fazim, who won a $7,000 bounty for the same.

CVE-2025-6558 is the fifth actively exploited bug Google has patched in Chrome in 2025. The previous actively exploited bug, CVE-2025-6554, was a flaw in Chrome’s V8 engine, which was patched in early July. All Chrome users are advised to update the browser to the latest version, 138.0.7204.157/.158 at the time of writing, as soon as possible.

In the News: FBI seizes multiple video game piracy websites

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of dark web hacker security

Security flaw in Dahua CCTVs allows remote access

This is an image of python windows featured

Hackers are targeting Python developers with fake PyPI sites

This is an image of apple featured 2323424823

Apple patches Safari bug; Already exploited in Chrome

This is an image of dark web hacker security

Vibe coding platform breach exposes corporate apps

This is an image of dark web hacker security

Fake apps are stealing data blackmailing users on Asian mobile networks

This is an image of ransomware 32988sd

FBI collects dues from Chaos ransomware gang; $2.4 million in crypto seized

>