July 2025 – Google has released a new round of Chrome security updates addressing six vulnerabilities, including a zero-day flaw actively exploited in the wild. This marks the fifth zero-day vulnerability patched in Chrome so far this year, underscoring the ongoing risks facing businesses and individuals who rely on web-based platforms.

What’s the Critical Issue?

The most serious of the patched vulnerabilities is tracked as CVE-2025-6558, a flaw affecting Chrome’s ANGLE and GPU components. ANGLE (Almost Native Graphics Layer Engine) is an open-source graphics engine used in Chrome and Firefox on Windows to render web content. Chrome’s GPU component, similarly, helps render graphics and video.

According to the National Institute of Standards and Technology (NIST), this vulnerability stems from improper validation of untrusted input, which can be triggered by specially crafted HTML pages. If successfully exploited, the flaw could allow remote attackers to escape Chrome’s security sandbox, a key protection designed to isolate browser processes and limit potential damage.

Google has confirmed that exploitation of this flaw is occurring in the wild, though technical details about the nature or scope of the attacks have not yet been disclosed.

Who Reported It?

The flaw was discovered by Clément Lecigne and Vlad Stolyarov from Google’s Threat Analysis Group (TAG). This team is well known for identifying and tracking threats linked to commercial spyware vendors—raising concerns that this vulnerability may have been abused in targeted surveillance campaigns.

Additional Vulnerabilities Addressed

Alongside the zero-day, Google has also patched the following vulnerabilities:

• CVE-2025-7656: An integer overflow bug in Chrome’s V8 JavaScript engine, reported by an external researcher. This issue could potentially allow attackers to manipulate memory and execute malicious code.
• CVE-2025-7657: A use-after-free vulnerability in WebRTC (used for real-time communications like video calls), also reported by an external contributor.

For their discovery, Google awarded a $7,000 bounty for the V8 bug, though the bounty amount for the WebRTC issue has not yet been disclosed. As per Google’s policy, no reward is given for vulnerabilities discovered internally, such as the CVE-2025-6558 zero-day.

Update Rolling Out Now

The latest Chrome update is being deployed as:

• Version 138.0.7204.157/.158 for Windows and macOS
• Version 138.0.7204.157 for Linux

Google urges all users to update their browsers immediately to ensure their systems are protected.

Why This Matters to Your Business

Zero-day vulnerabilities pose a serious threat because they are exploited before patches are available, often giving attackers a critical window of opportunity to infiltrate systems. In this case, attackers may be able to bypass key browser protections, potentially exposing sensitive business data or opening paths for further compromise.

At CSB, we want to ensure our clients stay ahead of emerging threats. If your organisation uses Google Chrome—and most businesses do—make sure all systems are running the latest version. Consider working with your IT team or managed services provider to apply updates across all devices in your network.

CSB’s Recommendations

To reduce your exposure to browser-based threats:

• Enable automatic browser updates across all workstations and devices.
• Regularly audit browser extensions and installed software, especially on machines used by developers or executives.
• Educate employees about suspicious websites, phishing attempts, and the importance of keeping software up to date.
• Work with a cybersecurity partner to monitor threats and respond quickly when vulnerabilities are disclosed.