Валентин Шнайдер Hot News 16 July 2025, 16:13

Google has released an urgent Chrome update due to the critical vulnerability CVE-2025-6558

A vulnerability in the browser’s graphics module is already being actively exploited in real attacks, Google warns.

Google released a security update for its Chrome browser on July 15, patching six vulnerabilities, one of which is already being used by hackers in active attacks, The Hacker News reports .

This is a vulnerability with the identifier CVE-2025-6558 (CVSS 8.8), which is associated with insufficient validation of untrusted data in the ANGLE and GPU components. According to the US National Vulnerability Database (NVD), a specially crafted HTML page can initiate an exit from the Chrome sandbox, gaining access to the system level of the OS.

ANGLE (Almost Native Graphics Layer Engine) acts as an intermediate layer between the browser engine and the device graphics drivers. Vulnerabilities in this subsystem are rare, but potentially extremely dangerous, as they allow isolation mechanisms to be bypassed, which is critical in the context of targeted attacks.

According to Google, the exploit is already circulating in the wild. The vulnerability was discovered by researchers from the Threat Analysis Group, namely Clement Lessignier and Vladislav Stolyarov. It was registered back on June 23, 2025, but the company has not yet disclosed the details of the exploitation. At the same time, given the specifics of the discovery, experts suggest the involvement of state hacking structures.

Google recommends that you urgently update your browser to version 138.0.7204.157/158 for Windows and macOS or 138.0.7204.157 for Linux. You can check your version in the Help > About Google Chrome menu. Updates are also recommended for users of other Chromium-based browsers — Edge, Brave, Opera, Vivaldi.

This is the fifth zero-day vulnerability in Chrome since the beginning of 2025. Previous ones include CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, and the recent CVE-2025-6554, also found by TAG.

Vulnerabilities related to GPU, WebGL, and shader processing don’t always make headlines, but they often become part of chain attacks or are used in next-generation exploits. Security experts advise paying special attention to patches for browser graphics modules, as this is where new attack vectors are increasingly emerging.

We previously wrote about how Google released an urgent update for Chrome due to a new vulnerability that was already being exploited by hackers. The company has fixed a fourth zero-day vulnerability in 2025. This time, it’s a dangerous Type Confusion bug in the V8 JavaScript engine.