Google recently addressed a serious zero-day vulnerability in its Chrome browser that allowed sandbox escape. The tech giant has rolled out the patch for Chrome for Desktop and Android devices amidst several other bug fixes. Users must ensure keeping their devices up-to-date with the latest Chrome versions to avoid potential risk due to unpatched vulnerabilities.
Google Chrome Zero-Day Flaw Allowed Sandbox Escape
Recently, Google patched a major security flaw in its Chrome browser that could threaten devices’ security. Identified as CVE-2025-6558, this vulnerability allowed an attacker to escape Chrome browser’s sandbox security.
As stated in the Chrome release update, the vulnerability affected Chrome’s ANGLE (Almost Native Graphics Layer Engine) – the default graphics backend in Chrome, and GPU. An adversary could exploit the flaw by tricking the user into opening a maliciously crafted HTML file via the Chrome browser. As ANGLE processes GPU commands from untrusted sources, processing a maliciously crafted HTML would let the attacker escape Chrome’s Sandbox security.
Describing the issue, the vulnerability description reads,
Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
Google listed this vulnerability as a high-severity issue, which first caught the attention of Google’s Threat Analysis Group researchers, Clément Lecigne and Vlad Stolyarov. The researchers reported this vulnerability in June 2025, following which, the tech giant patched the flaw.
For now, Google has not described technical details about this vulnerability. Besides, it confirmed detecting active exploits for this flaw in the wild, which makes it crucial to contain the details to prevent widespread exploitation attempts.
Other Security Fixes With The Latest Chrome Release
In addition to the vulnerability allowing sandbox escape, Google also addressed other vulnerabilities with the same Chrome release, rolling out a total of six updates. However, the tech giant only disclosed three of these in the Chrome release update (including the above-described CVE-2025-6558), which were reported by external security researchers.
The other two vulnerabilities, while not discussed in detail, include,
- CVE-2025-7656 (high severity): An Integer overflow in Chrome’s V8 component. A remote attacker could exploit the flaw via a maliciously crafted HTML file. Google rewarded the researcher Shaheen Fazim for reporting this flaw with a $7000 bounty.
- CVE-2025-7657 (high severity): A use-after-free vulnerability in Chrome’s WebRTC. The vulnerability could allow a remote adversary to exploit heap corruption via a maliciously crafted HTML file.
Google patched all these vulnerabilities with Chrome stable release for Desktop version 138.0.7204.157/.158 for Windows and Mac and 138.0.7204.157 for Linux. Besides, the firm released the same security updates for Android users as well, via Chrome 138 (138.0.7204.157).
Although, these updates would likely reach all eligible systems automatically. Nonetheless, users should still check and update their devices manually to ensure they receive all fixes timely.
Let us know your thoughts in the comments.