The security issue is described as an insufficient validation of untrusted input in ANGLE and GPU that affects Google Chrome versions before 138.0.7204.157. An attacker successfully exploiting it could perform a sandbox escape by using a specially crafted HTML page. Google has released a security update for Chrome to address half a dozen vulnerabilities, one of them actively exploited by attackers to escape the browser's sandbox protection. The current Chrome security update contains fixes for five more vulnerabilities, including a high-severity flaw in the V8 engine tracked as CVE-2025-7656, and a use-after-free issue in WebRTC tracked under CVE-2025-7657. Chrome sandbox component is a core security mechanism that isolates browser processes from the underlying operating system, thus preventing malware from spreading outside the web browser to compromise the device. Earlier this month, Google fixed the fourth zero-day flaw in Chrome, CVE-2025-6554, also in the V8 engine, that was discovered by GTAG researchers. Two months later, in May, Google issued another update to fix CVE-2025-4664, a zero-day vulnerability in Chrome that allowed attackers to hijack user accounts. In June, the company addressed yet another severe issue, CVE-2025-5419, an out-of-bounds read/write vulnerability in Chrome’s V8 JavaScript engine, reported by Google TAG’s Benoît Sevens and Clément Lecigne. Given the high risk and active exploitation status of CVE-2025-6558, Chrome users are advised to update as soon as possible to version 138.0.7204.157/.158, depending on their operating system. CVE-2025-6558 is the fifth actively exploited flaw discovered and fixed in Chrome browser since the beginning of the year. In March, Google patched a high-severity sandbox escape flaw, CVE-2025-2783, discovered by Kaspersky researchers.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 16 Jul 2025 09:50:15 +0000