Google Patches 6 Chrome Security Flaws, Including Actively Exploited Zero-Day – LinkedIn
Agree & Join LinkedIn
By clicking Continue to join or sign in, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy.
Create your free account or sign in to continue your search
or
By clicking Continue to join or sign in, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy.
New to LinkedIn? Join now
or
New to LinkedIn? Join now
By clicking Continue to join or sign in, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy.
Google has released a security update for Chrome addressing six vulnerabilities, including one actively exploited flaw that allows attackers to escape the browser’s sandbox protection.
The most critical issue, tracked as CVE-2025-6558, is rated high severity – CVSS score: 8.8 and was discovered by Clément Lecigne and Vlad Stolyarov from Google’s Threat Analysis Group (TAG) on June 23, 2025
The vulnerability stems from insufficient validation of untrusted input in ANGLE and GPU components and affects Chrome versions prior to 138.0.7204.157.
According to the National Vulnerability Database (NVD), this flaw could allow a remote attacker to escape Chrome’s sandbox via a specially crafted HTML page.
ANGLE (Almost Native Graphics Layer Engine) is a key component used by Chrome to translate OpenGL ES API calls for various graphics backends like Direct3D, Metal, Vulkan, and OpenGL. Since ANGLE processes GPU commands from untrusted sources such as WebGL, flaws here pose significant security risks.
For most users, this means that simply visiting a malicious website could lead to a compromise, particularly in targeted attacks where no additional user interaction is required.
This vulnerability enables remote attackers to execute arbitrary code within Chrome’s GPU process. Google has withheld technical details to protect users while updates are rolled out, stating:
While Google has not provided details on how the vulnerability is being exploited, its acknowledgment that “an exploit exists in the wild” suggests the involvement of sophisticated attackers, potentially nation-state actors.
The Chrome sandbox is a critical defense that isolates browser processes from the operating system, preventing malware from compromising devices.
Other fixes included in this update:
CVE-2025-7656: High-severity flaw in the V8 JavaScript engine
Integer overflow in V8 in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2025-7657: Use-after-free issue in WebRTC
Use after free in WebRTC in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
None of these are currently known to be under active exploitation.
CVE-2025-6558 is the fifth actively exploited Chrome vulnerability fixed this year.
Earlier cases, all of which are rated High security severity include:
March: CVE-2025-2783, a sandbox escape exploited in espionage attacks targeting Russian government agencies and media, patched after discovery by Kaspersky. Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file.
May: CVE-2025-4664, a zero-day allowing account hijacking. Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
June: CVE-2025-5419, a severe out-of-bounds read/write bug in V8, reported by Google TAG. Out of bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
July: CVE-2025-6554, another V8 engine flaw, also discovered by TAG researchers. Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page.
Due to the high risk and confirmed exploitation, users are strongly urged to update Chrome immediately to version 138.0.7204.157/.158 on Windows and macOS, and 138.0.7204.157 on Linux.
To check for updates: go to More > Help > About Google Chrome, then relaunch the browser.
Other Chromium-based browsers — such as Microsoft Edge, Brave, Opera, and Vivaldi — are also affected and users should apply updates when they become available.
Although vulnerabilities like this may not always dominate headlines, they frequently reappear in exploit chains or targeted attacks. Chrome users and security professionals should remain vigilant for issues involving GPU sandbox escapes, shader bugs, WebGL vulnerabilities, privilege boundary bypasses, and rendering-related memory corruption.
CEO en CODECO: Personas y Negocio Juntos ® La Seguridad es un proceso, no es un producto
It´s time to perform a major Chrome update
Expert in IT Management, Datacenter & Op’s
The days when I just used Pine my fav txt based browser :)
Building highly custom AI-powered agile systems to meet your needs, ensuring the ability to scale and future-proof your success
Isn’t it time that Chrome be completely rewritten in Rust… not that that will solve every security threat, but it surely would address some major underpinnings that are a constant attack vector!
Information Technology Security and ISMS at CCM Customer Communication Management
Be honest, who trust chrome and firefox which introduce vulnerabilty patch every other day? Nothing comes for free.
Timely reminder of how fast the digital threat landscape can shift. Staying ahead of vulnerabilities requires more than just updates—it calls for a proactive mindset across teams. Encouraging regular #training, building cyber-aware #leadership, and supporting staff to #upskill are all part of strengthening resilience. It’s also where smart #techinnovation plays a key role in keeping systems secure and agile.
To view or add a comment, sign in
Malicious actors are now hiding malware inside DNS records, exploiting a critical blind spot in most organizations’…
A critical vulnerability, tracked as CVE-2025-20337 has been identified in Cisco Identity Services Engine (ISE)…
A recent wave of cyber attacks have demonstrated critical security issues impacting help desk processes for account…
The UK’s National Cyber Security Centre (NCSC) has launched the Vulnerability Research Initiative (VRI) to enhance its…
Preparing Your Organisation for the Windows 11 Upgrade Before Autumn 2025 & Why you should act now to meet new hardware…
Researchers at PCA Cyber Security have uncovered a set of critical vulnerabilities, collectively named PerfektBlue, in…
A major data breach has exposed the personal information of McDonald’s job applicants after security researchers…
How to Choose the Right SOC Partner Without Surprise Costs Hackers in 2025 don’t sleep, and neither can your security…
Four individuals have been arrested by the UK’s National Crime Agency (NCA) in connection with cyber-attacks that…
Microsoft has released its July 2025 Patch Tuesday edition, addressing 100+ security vulnerabilities across the Windows…
