Google has released a security update to address half a dozen weaknesses for Chrome, one of them has actively exploited the browser’s sandbox safety by the attackers to avoid safety.
Religion is identified Cve-2025-6558 And received a high-seriousness rating of 8.8. It was discovered on 23 June by researchers from the Threat Analysis Group (TAG) of Google.
The safety problem is described as insufficient verification of incredible input in the angle and GPU that affects the Google Chrome versions before 138.0.7204.157. An attacker successfully exploits this, it can demonstrate a sandbox escape using a specially designed HTML page.
Angle (almost native graphics layer engine) is an open-source graphics abstraction layer that is used by Chrome to translate the openGL ES API calls in Direct3D, Metal, Vulcan and Opengl.
Because the angle commands GPU with unreliable sources such as webgl webgl uses, this component may have a significant safety effect.
The vulnerability allows a remote attacker using a specially designed HTML page to execute the arbitrary code within the GPU process of the browser. Google has not provided technical details how to trigger the problem can avoid browser sandbox.
“Buggian details and access access to link can be banned until most users are updated with a fix,” Security tells Google in Bulletin,
“We will also maintain a ban if the bug is present in a third-party library that depends on other projects like this, but has not yet decided.”
The chrome sandbox component is a main security mechanism that distinguishes the browser processes from the underlying operating system, thus preventing malware from spreading outside the web browser to compromise the device.
Given the high risk of CVE-2025-6558, in view of the state of high risk and active exploitation, Chrome users are advised to update as soon as possible, based on their operating system, 138.0.7204.157/..158 as soon as possible.
You can do it by navigating it Chrome: // Settings/Help And allows the update to end the investigation. The update will be successfully implemented after restarting the web browser.
Current chrome security updates include improvement for five more weaknesses, including a high-severity defect in the V8 engine, which has been tracked as CVE-2025–7656, and is a use-free issue tracked under CVE-2025–7657 in CVERTC. None of these five were actively exposed as exploitation.
CVE-2025–6558 is the fifth actively exploited defect discovered and fixed in Chrome browser from the beginning of the year.
In March, Google patching a high-severity Sandbox Escape Floe, CVE-2025-2783 discovered by Kaspaski researchers. Russian government agencies and media organizations were exploited vulnerability in targeted espionage attacks, distributing malware.
Two months later, in May, Google released another update to fix the CVE-2025–4664, which is a zero-day vulnerability in Chrome, which allowed the attackers to ejac user accounts.
In June, the company has so far addressed another serious issue, cve-2025-5419, read/write an out-of-bound in Chrome’s V8 JavaScript engine, which has been reported by benoit service and clearance lesigne of Google tag.
Earlier this month, Google also fixed the fourth zero-day defect in CHROME, CVE-2025-6554, also in the V8 engine, which was discovered by GTAG researchers.
While cloud attacks can be more sophisticated, the attackers still succeed with surprisingly simple techniques.
Drawing by the detection of Vij in thousands of organizations, this report reveals the 8 major techniques used by Claude-Floid danger actors.
