Google fixes actively exploited sandbox escape zero day in Chrome

Google has released a security update for Chrome to address half a dozen vulnerabilities, one of them actively exploited by attackers to escape the browser’s sandbox protection.

The vulnerability is identified as CVE-2025-6558 and received a high-severity rating of 8.8. It was discovered by researchers at Google’s Threat Analysis Group (TAG) on June 23.

The security issue is described as an insufficient validation of untrusted input in ANGLE and GPU that affects Google Chrome versions before 138.0.7204.157. An attacker successfully exploiting it could perform a sandbox escape by using a specially crafted HTML page.

ANGLE (Almost Native Graphics Layer Engine) is an open-source graphics abstraction layer used by Chrome to translate OpenGL ES API calls to Direct3D, Metal, Vulkan, and OpenGL.

Because ANGLE processes GPU commands from untrusted sources like websites using WebGL, bugs in this component can have a critical security impact.

The vulnerability allows a remote attacker using a specially crafted HTML page to execute arbitrary code within the browser’s GPU process. Google has not provided the technical details on how triggering the issue could lead to escaping the browser’s sandbox.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” states Google in the security bulletin.

“We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”

Chrome sandbox component is a core security mechanism that isolates browser processes from the underlying operating system, thus preventing malware from spreading outside the web browser to compromise the device.

Given the high risk and active exploitation status of CVE-2025-6558, Chrome users are advised to update as soon as possible to version 138.0.7204.157/.158, depending on their operating system.

You can do this by navigating to chrome://settings/help and allowing the update check to finish. Updates will be applied successfully after restarting the web browser.

The current Chrome security update contains fixes for five more vulnerabilities, including a high-severity flaw in the V8 engine tracked as CVE-2025-7656, and a use-after-free issue in WebRTC tracked under CVE-2025-7657. None of these five were highlighted as actively exploited.

CVE-2025-6558 is the fifth actively exploited flaw discovered and fixed in Chrome browser since the beginning of the year.

In March, Google patched a high-severity sandbox escape flaw, CVE-2025-2783, discovered by Kaspersky researchers. The vulnerability had been exploited in targeted espionage attacks against Russian government agencies and media organizations, delivering malware.

Two months later, in May, Google issued another update to fix CVE-2025-4664, a zero-day vulnerability in Chrome that allowed attackers to hijack user accounts.

In June, the company addressed yet another severe issue, CVE-2025-5419, an out-of-bounds read/write vulnerability in Chrome’s V8 JavaScript engine, reported by Google TAG’s Benoît Sevens and Clément Lecigne.

Earlier this month, Google fixed the fourth zero-day flaw in Chrome, CVE-2025-6554, also in the V8 engine, that was discovered by GTAG researchers.