Urgent Chrome Update: Google Patches Critical Zero-Day (CVE-2025-6558) Under Active Attack

Google has released a critical Stable Channel update for Chrome Desktop (version 138.0.7204.157/.158), addressing six security vulnerabilities, including one that is already being exploited in the wild. The update is rolling out now for Windows, Mac, and Linux, with automatic updates expected over the coming days and weeks.

The most urgent flaw addressed in this release is CVE-2025-6558, a High-severity bug involving incorrect validation of untrusted input in ANGLE and GPU components.

Discovered by Clément Lecigne and Vlad Stolyarov of Google’s elite Threat Analysis Group (TAG), this vulnerability is currently being exploited by attackers to potentially gain unauthorized access or execute malicious code on targeted machines.

“Google is aware that an exploit for CVE-2025-6558 exists in the wild,” the company confirmed.

ANGLE (Almost Native Graphics Layer Engine) is a crucial layer that translates WebGL and other graphics calls to the host system’s native APIs. A flaw in this layer could allow attackers to manipulate rendering processes to run malicious code.

In addition to CVE-2025-6558, Google patched the following High-severity issues:

• CVE-2025-7656 – An integer overflow in V8, Chrome’s JavaScript engine, reported by Shaheen Fazim. Awarded a $7,000 bounty, this vulnerability could be leveraged to corrupt memory and potentially lead to arbitrary code execution.
• CVE-2025-7657 – A use-after-free vulnerability in WebRTC, the real-time communication protocol used for video, voice, and file sharing. Reported by jakebiles, this bug could lead to memory corruption and remote crashes or compromise.

If you’re using Chrome on any platform—Windows, Mac, or Linux—update immediately. Chrome typically auto-updates in the background, but users can manually check by navigating to: Settings > About Chrome > Update. Once updated, restart your browser to ensure the patches are applied.

Related Posts:

• Urgent Security Alert: CISA Warns of Actively Exploited Apple and Microsoft Vulnerabilities
• Chrome OS will enable Linux applications to run on virtual machines
• Chrome will no longer flag HTTPS pages as secure sites

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy