A recent code-level revision in the Chromium runtime addresses several critical execution-layer flaws, among them CVE-2025-6558, which has been confirmed as being weaponized in uncontrolled environments. Tagged with a CVSS 8.8, the flaw stems from lenient input handling embedded deep within the browser’s rendering command flow. Specifically, the issue lives in a middleware layer responsible for translating high-level graphical instructions into device-level operations. This area inadvertently allows hostile input to bleed into restricted execution zones. Exploitation involves crafted HTML payloads that slip past isolation boundaries, allowing adversaries to sidestep sandbox enforcement and potentially escalate to full system access.
Google’s Threat Analysis Group flagged the bug on June 23. The exploit chain doesn’t rely on user interaction, loading a compromised page is enough. That makes drive-by exposure via legitimate-looking web content a viable attack route, especially against unpatched environments. While technical details are undisclosed, the in-the-wild exploitation hints at the involvement of advanced threat actors, potentially a state-sponsored group.
This marks the fifth zero-day vulnerability fixed in Chrome this year, following CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, and CVE-2025-6554, all of which were either exploited or demonstrated in proof-of-concept attacks. Previous exploits included targeted espionage campaigns and account hijacking.
The patch, released as version 138.0.7204.157/.158 for Windows and macOS, and 138.0.7204.157 for Linux, also resolves high-risk issues in V8 (CVE-2025-7656) and WebRTC (CVE-2025-7657), although these are not known to be actively exploited. It is recommended that individuals access the software’s diagnostic menu to verify version status and restart the application to integrate recent fixes.Applications that operate on the same rendering engine foundation, like Opera or Edge, may require parallel adjustments once distribution becomes available. Gaps in rendering workflows or graphical pipelines have previously served as footholds for deeper execution abuse.
