Google has recently fixed a critical zero-day vulnerability in its Chrome browser that allowed for sandbox escape. The company has released the patch for Chrome on Desktop and Android devices along with several other bug fixes. It is important for users to keep their devices updated with the latest Chrome versions to avoid potential risks from unpatched vulnerabilities.
Google Chrome Zero-Day Flaw Enables Sandbox Escape
Google has patched a significant security flaw in its Chrome browser that posed a threat to device security. Known as CVE-2025-6558, this vulnerability allowed an attacker to escape the sandbox security of the Chrome browser.
According to the Chrome release update, the vulnerability impacted Chrome’s ANGLE (Almost Native Graphics Layer Engine) – the default graphics backend in Chrome, and GPU. By tricking the user into opening a maliciously crafted HTML file through the Chrome browser, an adversary could exploit the flaw. As ANGLE processes GPU commands from untrusted sources, processing a malicious HTML file could allow the attacker to escape Chrome’s sandbox security.
Describing the issue, the vulnerability description stated,
Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
Google classified this vulnerability as a high-severity issue, which was initially discovered by Google’s Threat Analysis Group researchers, Clément Lecigne and Vlad Stolyarov. The researchers reported this vulnerability in June 2025, and Google promptly patched the flaw.
Google has not disclosed technical details about this vulnerability yet. Additionally, active exploits for this flaw have been detected in the wild, underscoring the importance of containing the details to prevent widespread exploitation attempts.
Other Security Fixes in the Latest Chrome Release
In addition to the sandbox escape vulnerability, Google addressed other vulnerabilities with the same Chrome release, issuing a total of six updates. While the tech giant only provided details for three of these vulnerabilities in the Chrome release update (including CVE-2025-6558), the other two vulnerabilities were reported by external security researchers.
The other two vulnerabilities, although not extensively discussed, include,
- CVE-2025-7656 (high severity): An Integer overflow in Chrome’s V8 component. A remote attacker could exploit the flaw through a maliciously crafted HTML file. Google rewarded the researcher Shaheen Fazim for reporting this flaw with a $7000 bounty.
- CVE-2025-7657 (high severity): A use-after-free vulnerability in Chrome’s WebRTC. The vulnerability could allow a remote adversary to exploit heap corruption through a maliciously crafted HTML file.
Google patched all these vulnerabilities with the Chrome stable release for Desktop version 138.0.7204.157/.158 for Windows and Mac, and 138.0.7204.157 for Linux. The same security updates were also released for Android users through Chrome 138 (138.0.7204.157).
While these updates are expected to reach all eligible systems automatically, users should still verify and update their devices manually to ensure timely receipt of all fixes.
We would love to hear your thoughts in the comments.
