CVE-2025-6558

HighCISA KEVActive Exploitation

Published: 15 July 2025

Published

15 July 2025

Modified

06 November 2025

KEV Added

22 July 2025

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0022 44.1th percentile

Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-6558 is a high-severity Improper Input Validation (CWE-20) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 44.1th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the insufficient validation of untrusted input in ANGLE and GPU components that enables the sandbox escape.

SC-39 Process Isolation good match

prevent

Enforces process isolation to prevent sandbox escapes resulting from the input validation flaw in Chrome's GPU processes.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the specific flaw via patching to Chrome version 138.0.7204.157, eliminating the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Direct client-side browser RCE/sandbox escape via malicious HTML input validation flaw.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Deeper analysisAI

CVE-2025-6558 involves insufficient validation of untrusted input (CWE-20) in the ANGLE and GPU components of Google Chrome prior to version 138.0.7204.157. This vulnerability, published on 2025-07-15, carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium security standards.

A remote attacker can exploit the issue by luring a user to interact with a crafted HTML page, potentially achieving a sandbox escape. The attack requires no privileges and low complexity but depends on user interaction, enabling high-impact compromise of confidentiality, integrity, and availability within the browser's sandboxed environment.

Mitigation is available via the Google Chrome stable channel update to version 138.0.7204.157, as announced in the Chrome Releases blog at chromereleases.googleblog.com/2025/07/stable-channel-update-for-desktop_15.html. Additional technical details are documented in Chromium issue 427162086 at issues.chromium.org/issues/427162086, with related disclosures on seclists.org/fulldisclosure/2025/Aug/0, seclists.org/fulldisclosure/2025/Jul/30, and seclists.org/fulldisclosure/2025/Jul/32.

Details

CWE(s): CWE-20
KEV Date Added: 22 July 2025

Affected Products

google

chrome

≤ 138.0.7204.157

debian

debian linux

11.0

apple

safari

≤ 18.6

apple

ipados

≤ 18.6

apple

iphone os

≤ 18.6

apple

macos

≤ 15.6

apple

visionos

≤ 2.6

apple

watchos

≤ 11.6

wpewebkit

wpe webkit

≤ 2.48.0

webkitgtk

≤ 2.48.0

CVEs Like This One

CVE-2025-43342Same product: Apple Ipados

CVE-2025-24201Same product: Apple Ipadosboth on KEV

CVE-2025-14174Same product: Apple Ipadosboth on KEV

CVE-2025-43529Same product: Apple Ipadosboth on KEV

CVE-2025-43234Same product: Apple Ipados

CVE-2025-43300Same product: Apple Ipadosboth on KEV

CVE-2025-31277Same product: Apple Ipadosboth on KEV

CVE-2025-43343Same product: Apple Ipados

CVE-2026-5915Same product: Apple Macos

CVE-2025-31281Same product: Apple Ipados

References

https://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desktop_15.html
Release Notes · chrome-cve-admin@google.com
https://issues.chromium.org/issues/427162086
Issue Tracking, Permissions Required · chrome-cve-admin@google.com
http://seclists.org/fulldisclosure/2025/Aug/0
Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Jul/30
Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Jul/32
Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Jul/35
Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
http://seclists.org/fulldisclosure/2025/Jul/37
Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
http://www.openwall.com/lists/oss-security/2025/08/02/1
Mailing List · af854a3a-2127-422b-91ae-364da2661108
https://lists.debian.org/debian-lts-announce/2025/08/msg00015.html
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6558
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0