Urgent: Update Chrome Now to Patch Critical Zero-Day Exploit (CVE-2025-6558)
▼ Summary
– Google has patched its fifth Chrome zero-day vulnerability (CVE-2025-6558) this year, which is actively exploited by attackers.
– CVE-2025-6558 is a high-severity flaw in ANGLE and GPU due to incorrect input validation, allowing attackers to bypass Chrome’s sandbox.
– The vulnerability requires users to visit a malicious HTML page and is likely exploited by state-sponsored or spyware-linked actors.
– Affected versions include Chrome for Windows, macOS, and Linux prior to v138.0.7204.157/.158, with updates rolling out soon.
– Microsoft and other Chromium-based browsers (Brave, Opera, Vivaldi) are also working on fixes for this zero-day flaw.
Google Chrome users face urgent security threat as hackers exploit critical zero-day vulnerability (CVE-2025-6558) in active attacks. The browser’s fifth major security flaw this year requires immediate attention, with malicious actors already weaponizing the weakness to bypass Chrome’s protective sandbox environment.
This high-risk vulnerability originates from improper input validation within ANGLE (Almost Native Graphics Layer Engine) and GPU components. These fundamental parts of Chrome handle graphics acceleration and rendering processes. Security researchers from Google’s Threat Analysis Group discovered the flaw on June 23, noting its active exploitation in real-world attacks.
The vulnerability allows attackers to break free from Chrome’s security sandbox – the protective barrier that normally keeps browser tabs and plugins isolated. By compromising this defense mechanism, hackers gain significantly more control over affected systems. Successful exploitation requires victims to visit a maliciously crafted webpage, though the full scope of potential damage remains undisclosed.
Industry experts suspect nation-state actors or commercial spyware vendors may be behind these attacks, given Google’s specialized threat team reported the issue. The vulnerability joins two additional security flaws patched in this update: an integer overflow in Chrome’s V8 JavaScript engine (CVE-2025-7656) and a memory management issue in WebRTC (CVE-2025-7657).
Affected versions include Chrome for Windows and macOS before 138.0.7204.157/.158, and Linux versions prior to 138.0.7204.157. While the update rolls out gradually, users should manually check for and install it immediately rather than waiting for automatic updates. Simply restarting the browser after the update downloads completes the patching process.
Microsoft confirmed its Edge browser, built on Chromium, will receive corresponding security fixes soon. Other Chromium-based browsers including Brave, Opera, and Vivaldi will likely follow with their own patches in the coming days.
This incident marks the latest in a growing trend of sophisticated browser attacks, emphasizing the critical importance of timely software updates. Security professionals recommend enabling automatic updates where possible and maintaining vigilance against suspicious links or websites.
(Source: HelpNet Security)
