Google has released an emergency security update for Chrome 138 to address a critical zero-day vulnerability that is actively being exploited in the wild.
The vulnerability, tracked as CVE-2025-6558, affects the browser’s ANGLE and GPU components and has prompted immediate action from Google’s security team to protect users from ongoing attacks.
Critical Zero-Day Vulnerability Discovered
Google’s Threat Analysis Group discovered a high-severity vulnerability in Chrome’s ANGLE and GPU processing components, officially designated as CVE-2025-6558.
The flaw involves incorrect validation of untrusted input, which can potentially allow attackers to execute malicious code on affected systems.
Security researchers Clément Lecigne and Vlad Stolyarov from Google’s internal threat analysis team identified this vulnerability on June 23, 2025.
The most concerning aspect of this discovery is Google’s explicit acknowledgment that “an exploit for CVE-2025-6558 exists in the wild”.
This designation as a zero-day vulnerability means that attackers were actively using this flaw before a patch became available, potentially compromising users’ systems and data.
The emergency security update has been rolled out across all platforms through Chrome version 138.0.7204.157/158 for Windows and Mac, and 138.0.7204.157 for Linux.
The Android version of Chrome will receive the same security fixes through Google Play over the coming days.
| CVE ID | Severity | Component | Description | Reward | Reporter |
| CVE-2025-6558 | High | ANGLE/GPU | Incorrect validation of untrusted input | Not Available | Google TAG |
| CVE-2025-7656 | High | V8 | Integer overflow | $7,000 | Shaheen Fazim |
| CVE-2025-7657 | High | WebRTC | Use after free | To Be Determined | jakebiles |
Beyond the critical zero-day vulnerability, this update addresses multiple other security issues discovered through Google’s ongoing security research initiatives.
The update includes fixes for an integer overflow vulnerability in V8 (CVE-2025-7656) and a use-after-free vulnerability in WebRTC (CVE-2025-7657).
Google’s security team continues to utilize advanced detection methods including AddressSanitizer, MemorySanitizer, and various fuzzing techniques to identify potential vulnerabilities before they reach the stable channel.
Users are strongly advised to update their Chrome browsers immediately to protect against active exploitation.
The update process is automatic for most users, but manual updates can be initiated through Chrome’s settings menu.
Given the active exploitation of CVE-2025-6558, delaying this update could leave systems vulnerable to ongoing attacks.
Google has implemented access restrictions on detailed bug information until the majority of users have updated their browsers, following standard security disclosure practices.
This measured approach helps prevent additional exploitation while ensuring widespread protection deployment.
Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.
