CVE-2025-6558

ENISA EUVD: EUVD-2025-21546 ↗

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 3, 2026 10 articles Published: 2025-07-15

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

0.33%

probability

This CVE has a 0.33% probability of being exploited in the next 30 days.

0% Top 55.6th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

8.8

HIGH

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

VulnerabilityLookup (CNA)

Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Affected Products

Google

Chrome

138.0.7204.157

google

chrome

debian

debian linux

apple

safari

apple

ipados

apple

iphone os

Google

Chrome

138.0.7204.157 <138.0.7204.157

Attack Intelligence

CWE-20 · Improper Input Validation CWE-707 · Improper Neutralization

Google Project Zero

Patched

July 15, 2025

Reported by

Clément Lecigne and Vlad Stolyarov of Google's Threat Analysis Group

Root Cause Analysis

???

Exploits & PoC

DevBuiHieu/CVE-2025-6558-Proof-Of-Concept

7 2025-07-24

gmh5225/CVE-2025-6558-exp

1 2025-07-17

2 repos — triés par ⭐ Rechercher sur GitHub ↗

https://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desktop_15.html

https://issues.chromium.org/issues/427162086

Signal Intelligence

Confidenceⓘ

92%

EPSS 0.33%

CVSS v3.1 8.8

Mentions 10

Last Seen Dec 11, 2025

CNA Information

CNA Assigner

Chrome

Analyst Note

CVE-2025-6558 is confirmed as an actively exploited zero-day in Chrome with a HIGH CVSS score (8.8), involving a critical sandbox escape vulnerability in ANGLE/GPU components. Multiple reputable sources (BleepingComputer, TheHackerNews) report active in-the-wild exploitation, and Google has already released patches in Chrome 138.0.7204.157, providing strong validation of the vulnerability's authenticity and severity.