CVE-2025-6558
Published: 15 July 2025
Summary
CVE-2025-6558 is a high-severity Improper Input Validation (CWE-20) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 43.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-10 (Information Input Validation).
Deeper analysis
Insufficient validation of untrusted input in ANGLE and the GPU component of Google Chrome prior to version 138.0.7204.157 permits a remote attacker to potentially escape the browser sandbox. The flaw is tracked as CVE-2025-6558, carries a CVSS 3.1 score of 8.8, and is assigned CWE-20; Chromium rates the issue High severity.
An attacker who can persuade a user to visit a specially crafted HTML page can trigger the flaw, achieving high impact on confidentiality, integrity, and availability by escaping the renderer sandbox. No user interaction beyond loading the page is required, and the attack can be delivered over the network without authentication.
The stable-channel update released on 15 July 2025 upgrades Chrome to 138.0.7204.157 and addresses the issue; administrators should apply the update promptly. Public references include the Chromium bug tracker entry 427162086 and the corresponding Chrome release announcement. The current EPSS score remains low at 0.0033 with no reported real-world exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21546
Vulnerability details
Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
- KEV Date Added
- 22 July 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct client-side browser RCE/sandbox escape via malicious HTML input validation flaw.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the insufficient validation of untrusted input in ANGLE and GPU components that enables the sandbox escape.
Enforces process isolation to prevent sandbox escapes resulting from the input validation flaw in Chrome's GPU processes.
Requires timely remediation of the specific flaw via patching to Chrome version 138.0.7204.157, eliminating the vulnerability.