Google not too long ago addressed a severe zero-day vulnerability in its Chrome browser that allowed sandbox escape. The tech large has rolled out the patch for Chrome for Desktop and Android gadgets amidst a number of different bug fixes. Customers should guarantee holding their gadgets up-to-date with the newest Chrome variations to keep away from potential threat as a result of unpatched vulnerabilities.
Google Chrome Zero-Day Flaw Allowed Sandbox Escape
Lately, Google patched a significant safety flaw in its Chrome browser that would threaten gadgets’ safety. Recognized as CVE-2025-6558, this vulnerability allowed an attacker to flee Chrome browser’s sandbox safety.
As said within the Chrome launch replace, the vulnerability affected Chrome’s ANGLE (Nearly Native Graphics Layer Engine) – the default graphics backend in Chrome, and GPU. An adversary might exploit the flaw by tricking the person into opening a maliciously crafted HTML file by way of the Chrome browser. As ANGLE processes GPU instructions from untrusted sources, processing a maliciously crafted HTML would let the attacker escape Chrome’s Sandbox safety.
Describing the problem, the vulnerability description reads,
Inadequate validation of untrusted enter in ANGLE and GPU in Google Chrome previous to 138.0.7204.157 allowed a distant attacker to probably carry out a sandbox escape by way of a crafted HTML web page.
Google listed this vulnerability as a high-severity challenge, which first caught the eye of Google’s Risk Evaluation Group researchers, Clément Lecigne and Vlad Stolyarov. The researchers reported this vulnerability in June 2025, following which, the tech large patched the flaw.
For now, Google has not described technical particulars about this vulnerability. In addition to, it confirmed detecting energetic exploits for this flaw within the wild, which makes it essential to include the main points to stop widespread exploitation makes an attempt.
Different Safety Fixes With The Newest Chrome Launch
Along with the vulnerability permitting sandbox escape, Google additionally addressed different vulnerabilities with the identical Chrome launch, rolling out a complete of six updates. Nevertheless, the tech large solely disclosed three of those within the Chrome launch replace (together with the above-described CVE-2025-6558), which have been reported by exterior safety researchers.
The opposite two vulnerabilities, whereas not mentioned intimately, embody,
- CVE-2025-7656 (excessive severity): An Integer overflow in Chrome’s V8 part. A distant attacker might exploit the flaw by way of a maliciously crafted HTML file. Google rewarded the researcher Shaheen Fazim for reporting this flaw with a $7000 bounty.
- CVE-2025-7657 (excessive severity): A use-after-free vulnerability in Chrome’s WebRTC. The vulnerability might permit a distant adversary to take advantage of heap corruption by way of a maliciously crafted HTML file.
Google patched all these vulnerabilities with Chrome secure launch for Desktop model 138.0.7204.157/.158 for Home windows and Mac and 138.0.7204.157 for Linux. In addition to, the agency launched the identical safety updates for Android customers as properly, by way of Chrome 138 (138.0.7204.157).
Though, these updates would possible attain all eligible programs routinely. Nonetheless, customers ought to nonetheless test and replace their gadgets manually to make sure they obtain all fixes well timed.
Tell us your ideas within the feedback.
