Google has released a critical update for Chrome to address a high-severity zero-day vulnerability, CVE-2025-6558, which is currently being exploited in the wild. The flaw, which affects versions of Chrome prior to 138.0.7204.157, involves insufficient validation of untrusted input in the ANGLE and GPU components. This vulnerability allows remote attackers to potentially perform a sandbox escape through a crafted HTML page.
The vulnerability, identified as CWE-20, has been assigned a CVSS score of 8.8, indicating its high severity. It was added to the Known Exploited Vulnerabilities (KEV) catalog on July 22, 2025, just a week after its initial disclosure on July 15, 2025. The Exploit Prediction Scoring System (EPSS) for this vulnerability is relatively low at 0.002, yet its active exploitation underscores the urgency for users to update their browsers immediately.
Proof-of-concept exploits for CVE-2025-6558 are already available, with at least two known instances circulating. The Time to Exploit (TTE) for this vulnerability was notably short, with attackers leveraging the flaw within just over six days of its disclosure. This rapid exploitation highlights the critical need for organizations and individuals to prioritize patching.
Google's swift response in releasing a patch aims to mitigate the risk posed by this vulnerability. Users are strongly advised to update to the latest version of Chrome to protect against potential attacks. The Security Severity Vulnerability Classification (SSVC) for this issue is marked as 'attend,' indicating that immediate action is necessary to address the threat.
For cybersecurity professionals, monitoring for signs of exploitation and ensuring that all systems are updated is crucial. Given the active exploitation of this vulnerability, defenders should verify that their Chrome installations are updated to the latest version and remain vigilant for any indicators of compromise related to this flaw.
CSURFACE