Google Chrome Zero-Day Actively Exploited in the Wild (CVE-2025-6558)
July 18th, 2025
High
Google has released an emergency security update addressing CVE-2025-6558, a high-severity vulnerability in the Chrome browser that has been actively exploited in the wild. The vulnerability stems from Chrome's ANGLE (Almost Native Graphics Layer Engine) and GPU components, where improper validation of WebGL input can allow sandbox escape and arbitrary code execution outside the browser context. Successful exploitation requires user interaction (e.g., visiting a malicious webpage) and may enable attackers to gain control over the host system. Chrome users are strongly advised to update their browser as soon as possible.
Technical Details
CVE ID: CVE-2025-6558.
CVSS Score: 8.8 (High).
Component Affected: ANGLE / GPU Process.
Attack Vector: Remote (via browser).
Exploitability: Confirmed in the wild.
Affected Systems: Windows, macOS, and Linux.
User Interaction: Required (malicious site visit).
Patch Released: Chrome 138.0.7204.157/.158 (July 16, 2025).
The vulnerability arises from insufficient input validation processed via WebGL shaders in Chrome's GPU rendering layer. Attackers craft WebGL content to trigger memory corruption in chrome_gpu.exe. Malicious JavaScript embedded in HTML pages can exploit this flaw to corrupt memory in the GPU process, break the sandbox, and execute code with elevated privileges. This exploitation results in sandbox escape, enabling further payload delivery or host compromise.
Impact
Google confirmed limited, targeted exploitation of CVE-2025-6558 prior to patch release. Although details remain restricted, exploitation likely involves:
Malvertising or phishing links delivering crafted HTML payloads.
WebGL shaders triggering ANGLE memory corruption.
Shellcode execution initiated via GPU process escape.
Detection Method
The following system anomalies are indicative of potential exploitation:
Frequent or unexpected chrome_gpu.exe crashes.
Sudden GPU restarts logged in Chrome system telemetry.
Execution of child processes originating from Chrome's GPU process.
Browser logs with ANGLE-related error traces.
Alert on process trees where chrome.exe → chrome_gpu.exe → unexpected processes.
Look for shellcode or memory tampering patterns within the GPU process.
Monitor for attempts to spawn command interpreters (e.g., cmd.exe, powershell.exe) from the browser.
Indicators of Compromise
There are no Indicators of Compromise (IOCs) for this advisory.
Recommendations
Update Immediately: Deploy Chrome 138.0.7204.157/.158 on all platforms (Windows/macOS/Linux).
Verify Update Compliance: Use browser management tools or MDM to ensure all endpoints are patched.
Extend Protections to Chromium-based Browsers: Monitor for patches in Edge, Brave, Opera, etc., and apply as released.
Harden Browser Environments:
Enable Enhanced Safe Browsing
Restrict access to risky websites via DNS or proxy filtering
Disable GPU rendering in VDI / sensitive systems if not required
Monitor for Related Threat Activity:
Check for anomalies in browser process behavior across your fleet.
Incorporate detection rules based on the process and network activity mentioned above.
Conclusion
CVE-2025-6558 is the fifth actively exploited Chrome zero-day in 2025, highlighting an increased frequency of attacks focused on browser-level exploitation. Immediate patching, telemetry review, and browser environment hardening are essential to mitigate potential compromise. As attackers move beyond traditional exploit techniques, organizations should treat browser processes as high-risk entry points and monitor them accordingly.