Google has issued an urgent security update for its Chrome browser to address a critical zero-day vulnerability, identified as CVE-2025-6558, which is currently being actively exploited by malicious actors. This flaw, stemming from improper validation in Chrome’s ANGLE and GPU components, poses significant security risks, potentially allowing attackers to execute arbitrary code on affected systems.
Details of the Vulnerability
CVE-2025-6558 was discovered and reported by ClĂ©ment Lecigne and Vlad Stolyarov from Google’s Threat Analysis Group on June 23, 2025. The vulnerability arises from incorrect validation of untrusted input within Chrome’s ANGLE and GPU components. ANGLE (Almost Native Graphics Layer Engine) is an open-source graphics engine abstraction layer used in Chrome to translate OpenGL ES API calls to native platform-specific graphics APIs. A flaw in this component can lead to improper handling of graphics rendering, potentially allowing attackers to execute arbitrary code or cause system crashes.
Additional High-Severity Vulnerabilities Addressed
In addition to CVE-2025-6558, the update addresses two other high-severity vulnerabilities:
1. CVE-2025-7656: An integer overflow issue in V8, Chrome’s JavaScript engine, reported by security researcher Shaheen Fazim. Integer overflow vulnerabilities occur when an arithmetic operation results in a value that exceeds the maximum size allocated for that data type, potentially leading to unexpected behavior or security breaches. Fazim was awarded a $7,000 bounty for this discovery.
2. CVE-2025-7657: A use-after-free vulnerability in WebRTC functionality, reported by researcher jakebiles. Use-after-free vulnerabilities occur when a program continues to use a pointer after it has been freed, leading to potential code execution or system crashes.
Google’s Response and Mitigation Measures
Upon discovery of these vulnerabilities, Google acted swiftly to mitigate potential threats. The company released Chrome version 138.0.7204.157/.158 for Windows and Mac systems, and version 138.0.7204.157 for Linux distributions. These updates are being rolled out globally over the coming days and weeks as part of Google’s standard deployment process.
To prevent malicious actors from exploiting these vulnerabilities before users have updated their browsers, Google has restricted access to detailed bug information until the majority of users have received the security update. This approach helps prevent reverse-engineering of patches to develop new exploits.
Recommendations for Users
Given the active exploitation of CVE-2025-6558, it is imperative for users to update their Chrome browsers immediately. While Chrome typically updates automatically, users can manually check for updates by navigating to the browser’s settings menu and selecting About Google Chrome. Ensuring that the browser is updated to version 138.0.7204.157 or higher will provide protection against these vulnerabilities.
Organizations should prioritize deploying this update across their networks to prevent potential compromises through malicious websites targeting the zero-day vulnerability.
Broader Implications
The discovery and active exploitation of this zero-day vulnerability underscore the ongoing challenges in cybersecurity, particularly concerning widely used software like web browsers. It highlights the importance of prompt patching and the need for continuous vigilance against emerging threats.
Google’s rapid response and the implementation of advanced security testing tools demonstrate the company’s commitment to user safety. However, users must also play a proactive role by ensuring their software is up-to-date and by practicing good cyber hygiene to mitigate potential risks.
