Google Chrome 0-day Vulnerability Actively Exploited in the Wild

Google has released an emergency security update for Chrome, addressing a critical zero-day vulnerability that attackers are actively exploiting in real-world attacks.

The tech giant confirmed that CVE-2025-6558 is being leveraged by threat actors, prompting an immediate patch deployment across all supported platforms.

Google Chrome has been updated to version 138.0.7204.157/.158 for Windows and Mac systems, and version 138.0.7204.157 for Linux distributions.

Key Takeaways
1. CVE-2025-6558, involving incorrect validation in ANGLE and GPU components, is being actively exploited in the wild according to Google's Threat Analysis Group.
2. Chrome versions 138.0.7204.157/.158 (Windows/Mac) and 138.0.7204.157 (Linux) fix six security vulnerabilities, including three high-severity flaws.
3. The update patches CVE-2025-7656 (integer overflow in V8) and CVE-2025-7657 (use-after-free in WebRTC).
4. Users must update Chrome immediately as the active exploitation poses immediate security risks to unpatched systems.

The update addresses six security vulnerabilities, with the most severe being the actively exploited zero-day flaw. The rollout will occur gradually over the coming days and weeks as part of Google’s standard deployment process.

Google Chrome 0-day Vulnerability

The CVE-2025-6558 vulnerability stems from incorrect validation of untrusted input in ANGLE and GPU components. This flaw was discovered and reported by Clément Lecigne and Vlad Stolyarov from Google’s Threat Analysis Group on June 23, 2025.

The researchers’ affiliation with Google’s internal security team suggests the vulnerability may have been identified through advanced threat monitoring or incident response activities.

Beyond the zero-day exploit, Google addressed two other high-severity vulnerabilities in this update. CVE-2025-7656 represents an integer overflow issue in V8, Chrome’s JavaScript engine, discovered by security researcher Shaheen Fazim. This vulnerability carried a $7,000 bounty reward, reflecting its significant potential impact on user security.

The third high-severity flaw, CVE-2025-7657, involves a use-after-free vulnerability in WebRTC functionality, reported by researcher jakebiles. Use-after-free vulnerabilities can potentially allow attackers to execute arbitrary code or cause system crashes.

Google emphasized that access to detailed bug information remains restricted until most users receive the security update. This approach prevents malicious actors from reverse-engineering patches to develop new exploits before widespread deployment occurs.

The company maintains similar restrictions for vulnerabilities affecting third-party libraries used by other projects.

The update incorporates fixes from Google’s ongoing internal security initiatives, including results from AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL testing frameworks. These automated security tools continuously scan Chrome’s codebase for potential vulnerabilities.

Users should immediately update their Chrome browsers to the latest version. Chrome typically updates automatically, but users can manually check for updates by navigating to Chrome’s settings menu and selecting “About Google Chrome.” Given the active exploitation of CVE-2025-6558, delaying this update could expose users to significant security risks.

The discovery of this zero-day vulnerability underscores the ongoing cat-and-mouse game between security researchers and malicious actors in the browser ecosystem.

Stay up-to-date with the latest threats and zero-day exploits and make faster, smarter security decisions -> See All Cyber Security News 

The post Google Chrome 0-day Vulnerability Actively Exploited in the Wild appeared first on Cyber Security News.