Google has released emergency security updates for Chrome 138 across multiple platforms to address critical vulnerabilities, including CVE-2025-6558, which the company confirms is being actively exploited by threat actors.
The update, rolling out to Windows, Mac, Linux, Android, and iOS users, patches six security vulnerabilities with three rated as high severity, marking one of the most significant security releases in recent months.
The Chrome 138 stable channel update (version 138.0.7204.157/158) introduces comprehensive security fixes targeting fundamental browser components.
The most severe vulnerability, CVE-2025-7656, represents an integer overflow in V8, Chrome’s JavaScript engine, discovered by security researcher Shaheen Fazim and carrying a $7,000 bounty reward.
This vulnerability class typically allows attackers to corrupt memory and potentially achieve remote code execution.
Additional high-severity fixes include CVE-2025-7657, a use-after-free vulnerability in WebRTC reported by researcher jakebiles.
Use-after-free vulnerabilities occur when programs continue to use memory after it has been freed, creating opportunities for attackers to manipulate program execution flow.
The WebRTC component handles real-time communication features, making this vulnerability particularly concerning for users engaged in video conferencing or peer-to-peer communications.
Google internal security teams contributed additional fixes through various detection methods, including AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL fuzzing techniques.
These automated testing frameworks represent industry-standard approaches to identifying memory corruption and logic vulnerabilities before they reach production environments.
Google Chrome 0-Day Vulnerability
The most alarming aspect of this security update involves CVE-2025-6558, an incorrect validation vulnerability in ANGLE and GPU components.
Discovered by Google’s Threat Analysis Group researchers Clément Lecigne and Vlad Stolyarov, this vulnerability represents a zero-day exploit currently being used in active attacks.
Google’s explicit acknowledgment that “an exploit for CVE-2025-6558 exists in the wild” indicates sophisticated threat actors are leveraging this vulnerability against real targets.
ANGLE (Almost Native Graphics Layer Engine) serves as a graphics abstraction layer that translates OpenGL ES calls to DirectX, Vulkan, or native OpenGL.
Vulnerabilities in graphics subsystems often provide attackers with deep system access, potentially bypassing traditional security boundaries.
The combination of GPU-related vulnerabilities with active exploitation suggests attackers may be targeting graphics-intensive applications or attempting to escape browser sandboxes through graphics driver interactions.
The Threat Analysis Group’s involvement signals this vulnerability may be connected to advanced persistent threat (APT) activities or state-sponsored cyber operations, as TAG specializes in tracking government-backed hacking groups and sophisticated attack campaigns.
Security Improvements and Recommendations
Beyond desktop platforms, Google has synchronized security updates across its entire Chrome ecosystem.
Chrome for Android (138.0.7204.157) and iOS (138.0.7204.156) received corresponding security fixes, ensuring mobile users receive equivalent protection.
ChromeOS devices also received updates through both stable and long-term support channels, with ChromeOS LTS 132.0.6834.227 addressing additional platform-specific vulnerabilities.
Organizations should prioritize immediate Chrome updates across all platforms, particularly given the confirmed active exploitation.
Enterprise administrators should verify that automatic updates are enabled and consider forced update deployment for critical systems.
Users can manually trigger updates through Chrome’s settings menu or by navigating to chrome://settings/help.
The rapid cross-platform deployment demonstrates Google’s mature security response capabilities, but the presence of an actively exploited zero-day underscores the persistent threat landscape facing modern web browsers and the critical importance of maintaining current software versions.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
