Zero-day Sandbox Escape Vulnerability Being Exploited on Google Chrome

Nam Anh Mai D.Nam Anh Mai D.
2 min read

Recently, Google released a patch for a new zero-day vulnerability in the Google Chrome browser, which hackers are actively exploiting online.

Details

  • Vulnerability ID: CVE-2025-6558

  • CVSS Score (3.1): 8.8

  • Severity Level: HIGH

  • Description: The flaw occurs due to insufficient validation of untrusted input data in ANGLE and GPU on Google Chrome. An attacker can exploit this through a malicious HTML page to escape the browser sandbox, leading to the execution of malicious code on the victim's machine with elevated privileges.

  • Affected Versions: Google Chrome versions before 138.0.7204.157

ANGLE (Almost Native Graphics Layer Engine) is an intermediate graphics library used by Google Chrome to translate WebGL and OpenGL ES API graphics commands into commands compatible with the GPU hardware on each operating system, such as Direct3D, Metal, Vulkan, and OpenGL.

Typically, when users visit a website, data from the site is sent to ANGLE and the GPU to process the graphics components. If this input data comes from untrusted websites containing malicious code, it can cause Google Chrome to crash and open up vulnerabilities for exploitation.

Based on this, hackers have been actively exploiting this vulnerability through malicious HTML pages. These HTML pages contain exploit code, acting as input data for ANGLE and the GPU to process, leading to the possibility of escaping Chrome's sandbox and spreading malicious code to the user's device.

Recommendations & Remediation

In their announcement, Google recommends users to:Update Chrome to the latest version: Upgrade to version 138.0.7204.157/.158 for the stable version of Google Chrome on Windows and macOS, or to version 138.0.7204.157 for the Linux version.

  • Avoid visiting unfamiliar websites: Besides updating to the latest software version, users should avoid clicking on unfamiliar or untrustworthy links and websites. Do not download or install files or software from unknown sources.

  • Use security solutions: Install antivirus software, regularly back up data, and use advanced security solutions like 24/7 monitoring to ensure maximum system safety.

References

  1. Chrome Releases

  2. NVD - CVE-2025-6558

0
Subscribe to my newsletter

Read articles from Nam Anh Mai D. directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Nam Anh Mai D.
Nam Anh Mai D.