Vulnerabilities

Chrome Update Patches Fifth Zero-Day of 2025

Google has released a Chrome 138 security update that patches a zero-day, the fifth resolved in the browser this year.

Chrome security

Google on Tuesday announced a fresh set of Chrome security updates that resolve six vulnerabilities, including one exploited in the wild.

The zero-day bug, tracked as CVE-2025-6558, is described as an incorrect validation of untrusted input in the browser’s ANGLE and GPU components.

ANGLE, short for Almost Native Graphics Layer Engine, is an open source, cross-platform graphics engine used as the default WebGL backend in both Chrome and Firefox on Windows. Chrome primarily uses the GPU component to render graphics and video content on webpages.

According to a NIST advisory, successful exploitation of the flaw could allow remote attackers to escape the browser’s sandbox via crafted HTML pages.

“Google is aware that an exploit for CVE-2025-6558 exists in the wild,” Google notes in its advisory.

This is the fifth zero-day patched by Google in the Chrome browser to date this year.

Advertisement. Scroll to continue reading.

As usual, the internet giant refrained from sharing details on the observed attacks, but noted that the security defect was reported by Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group.

TAG researchers are known for uncovering vulnerabilities exploited by commercial spyware vendors, including some in the Chrome browser, and this could be the case for the newly disclosed CVE as well.

The fresh Chrome update addresses two other bugs reported by external researchers, namely CVE-2025-7656, an integer overflow issue in the V8 JavaScript engine, and CVE-2025-7657, a use-after-free flaw in WebRTC.

Google says it paid a $7,000 reward for the V8 defect, but has yet to disclose the amount handed out for the WebRTC issue. Per the company’s rules, no bug bounty will be awarded for the internally discovered zero-day.

The latest Chrome iteration is now rolling out as versions 138.0.7204.157/.158 for Windows and macOS, and as version 138.0.7204.157 for Linux. Users are advised to update their browsers as soon as possible.

Related: Chrome 138 Update Patches Zero-Day Vulnerability

Related: Chrome 138, Firefox 140 Patch Multiple Vulnerabilities

Related: Chrome 137 Update Patches High-Severity Vulnerabilities

Related: Chrome, Firefox Updates Resolve High-Severity Memory Bugs

Related Content

Vulnerabilities

The critical-severity security defect allows remote, authenticated attackers to execute arbitrary code on the server.

Vulnerabilities

The researcher stripped the proof-of-concept (PoC) exploit to prevent immediate exploitation of the vulnerability.

Risk Management

Three vulnerabilities are actively exploited in attacks, including two that have been targeted as zero-days.

Vulnerabilities

The company has rolled out a fix and is restoring access for Storage Zones Controller customers who apply it.

Vulnerabilities

Public exploit code targeting the Firefox flaws exists, but no in-the-wild exploitation has been observed.

Vulnerabilities

SonicWall SMA1000 zero-day vulnerabilities CVE-2026-15409 and CVE-2026-15410 can be exploited for remote code execution.

Vulnerabilities

Two flaws in Active Directory and SharePoint Server have been exploited as zero-days, and a BitLocker bug was publicly disclosed.

Vulnerabilities

Threat actors have been targeting Balbooa Forms and iCagenda Joomla extension flaws for remote code execution.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version