Google has released a security update for its Chrome browser addressing a high-severity zero-day vulnerability that was actively exploited in the wild. The flaw, tracked as CVE-2025-6558, allowed attackers to escape Chrome’s sandbox—a key security feature designed to isolate browser processes from the host operating system.
The vulnerability was discovered by Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group (TAG), a team known for tracking and investigating high-level threats, including those from state-sponsored actors. According to Google, CVE-2025-6558 results from insufficient validation of untrusted input within the browser’s ANGLE and GPU components. This flaw enabled malicious websites to exploit GPU processes and break free from Chrome’s sandbox environment, potentially leading to arbitrary code execution on the underlying system.
Google acknowledged that the vulnerability had been exploited in the wild but did not share technical specifics about the attacks. This is a common practice meant to protect users while security updates are being deployed and to reduce the risk of further exploitation. The company offered minimal details regarding the scope or nature of the exploitation, but its public classification of the bug as a sandbox escape indicates a serious threat to user security.
The issue has been addressed in Chrome version 138.0.7204.157 for Windows, macOS, and Linux systems. Google began rolling out the patches on July 16, 2025, and recommends all users apply the update as soon as possible. Users can do so by navigating to Chrome’s settings, selecting “Help,” and checking for updates under “About Google Chrome.” A browser restart is required to complete the update process.
This zero-day marks the fifth actively exploited Chrome vulnerability disclosed and patched by Google in 2025. It follows a pattern of attacks targeting the browser’s secure process isolation architecture. Earlier this year, vulnerabilities such as CVE-2025-2783 and CVE-2025-6554 were reported and patched under similar circumstances, emphasizing the ongoing interest of threat actors in leveraging browser-based zero-days as part of larger targeted campaigns.
