Apple released security updates to address a high-severity vulnerability, tracked as CVE-2025-6558 (CVSS score of 8.8), that has been exploited in zero-day attacks targeting Google Chrome users.
The vulnerability is an insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157 that can allow a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
ANGLE (Almost Native Graphics Layer Engine) is an open-source graphics engine developed by Google that acts as a compatibility layer between OpenGL ES and other graphics APIs like Direct3D, Vulkan, and Metal.
Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group reported the vulnerability on June 23, 2025.
This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog.
Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group reported the vulnerability on June 23, 2025. Google’s TAG team investigates attacks by nation-state actors and commercial spyware vendors. One of these threat actors likely exploited the issue in the wild.
“Google is aware that an exploit for CVE-2025-6558 exists in the wild.” reads the alert published by Google.
“This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party.” reads the advisory published by Apple.
“Processing maliciously crafted web content may lead to an unexpected Safari crash”
Apple released WebKit security updates to address CVE-2025-6558 in the following products:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Google Chrome)