Google released fixes for six security vulnerabilities in its Chrome browser, including one being actively exploited (CVE-2025-6558, CVSS score: 8.8). This flaw involves incorrect validation of untrusted input within the ANGLE and GPU components. Attackers could potentially escape the Chrome sandbox through crafted HTML pages, risking deeper system access. The vulnerability exposes users simply by visiting malicious sites, which could lead to silent compromises. The flaw was discovered by Clément Lecigne and Vlad Stolyarov, and there are suspicions of nation-state involvement.
The high-severity vulnerability in question is CVE-2025-6558 (CVSS score: 8.8), described as an incorrect validation of untrusted input in the browser's ANGLE and GPU components.
'Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page,' according to the description from the NVD.
Vulnerabilities in the ANGLE module can let attackers escape Chrome's sandbox by abusing low-level GPU operations, making this a rare but powerful path to deeper system access.
The development comes about two weeks after Google addressed another actively exploited Chrome zero-day (CVE-2025-6554, CVSS score: 8.1), which was also reported by Lecigne on June 25, 2025.
Collection
[
|
...
]