CVE-2025-6558

high-risk

Published 2025-07-15

Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Do I need to act?

0.17% chance of exploitation

EPSS score — low exploit probability

CISA KEV: actively exploited in the wild

On the Known Exploited Vulnerabilities catalog — federal agencies must patch

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (10)

Chrome

Debian Linux

Safari

Ipados

Iphone Os

Macos

Visionos

Watchos

Wpe Webkit

Webkitgtk

Affected Vendors

Debian Apple Google Webkitgtk Wpewebkit

References (10)

Release Notes https://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desktop_...

Issue Tracking https://issues.chromium.org/issues/427162086

Third Party Advisory http://seclists.org/fulldisclosure/2025/Aug/0

Third Party Advisory http://seclists.org/fulldisclosure/2025/Jul/30

Third Party Advisory http://seclists.org/fulldisclosure/2025/Jul/32

Third Party Advisory http://seclists.org/fulldisclosure/2025/Jul/35

Third Party Advisory http://seclists.org/fulldisclosure/2025/Jul/37

Mailing List http://www.openwall.com/lists/oss-security/2025/08/02/1

Mailing List https://lists.debian.org/debian-lts-announce/2025/08/msg00015.html

US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-...

/ 100

high-risk

Severity 30/34 · Critical

Exploitability 8/34 · Low

Exposure 16/34 · Moderate