Google has addressed a critical zero-day vulnerability in Chrome, marking the fifth such incident this year. The flaw, identified as CVE-2025-6558, is a high-severity issue arising from improper validation of untrusted input in ANGLE and Chrome’s GPU, which aids in rendering tasks. Discovered by Google Threat Analysis Group researchers, the vulnerability is being exploited to bypass Chrome’s sandbox, a security measure that isolates browser processes. Users could be targeted by visiting specially crafted HTML pages. While the attackers’ intentions remain unclear, the involvement of Google TAG suggests possible use by state-sponsored actors or spyware vendors.
The vulnerability, along with two others affecting Chrome’s V8 engine and WebRTC feature, impacts Chrome versions prior to v138.0.7204.157/.158 on Windows and macOS, and prior to v138.0.7204.157 on Linux. Users are advised to update promptly, with automatic updates requiring just a browser restart. Microsoft is also preparing a fix for its Chromium-based Edge browser, and similar updates are expected soon for other Chromium-based browsers like Brave, Opera, and Vivaldi.
