Cyber Resilience

CVE-2025-6558

HighCISA KEVActive ExploitationEUVD Exploited

Published: 15 July 2025

Published
15 July 2025
Modified
06 November 2025
KEV Added
22 July 2025
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0033 56.2th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-6558 is a high-severity Improper Input Validation (CWE-20) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 43.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-10 (Information Input Validation).

Deeper analysis

Insufficient validation of untrusted input in ANGLE and the GPU component of Google Chrome prior to version 138.0.7204.157 permits a remote attacker to potentially escape the browser sandbox. The flaw is tracked as CVE-2025-6558, carries a CVSS 3.1 score of 8.8, and is assigned CWE-20; Chromium rates the issue High severity.

An attacker who can persuade a user to visit a specially crafted HTML page can trigger the flaw, achieving high impact on confidentiality, integrity, and availability by escaping the renderer sandbox. No user interaction beyond loading the page is required, and the attack can be delivered over the network without authentication.

The stable-channel update released on 15 July 2025 upgrades Chrome to 138.0.7204.157 and addresses the issue; administrators should apply the update promptly. Public references include the Chromium bug tracker entry 427162086 and the corresponding Chrome release announcement. The current EPSS score remains low at 0.0033 with no reported real-world exploitation.

EU & UK References

Vulnerability details

Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CWE(s)
KEV Date Added
22 July 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Direct client-side browser RCE/sandbox escape via malicious HTML input validation flaw.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-43342Same product: Apple Ipados
CVE-2025-24201Same product: Apple Ipadosboth on KEV
CVE-2025-14174Same product: Apple Ipadosboth on KEV
CVE-2025-43529Same product: Apple Ipadosboth on KEV
CVE-2025-43234Same product: Apple Ipados
CVE-2025-43300Same product: Apple Ipadosboth on KEV
CVE-2025-31277Same product: Apple Ipadosboth on KEV
CVE-2025-43343Same product: Apple Ipados
CVE-2026-5915Same product: Apple Macos
CVE-2026-8000Same product: Apple Macos

Affected Assets

google
chrome
≤ 138.0.7204.157
debian
debian linux
11.0
apple
safari
≤ 18.6
apple
ipados
≤ 18.6
apple
iphone os
≤ 18.6
apple
macos
≤ 15.6
apple
visionos
≤ 2.6
apple
watchos
≤ 11.6
wpewebkit
wpe webkit
≤ 2.48.0
webkitgtk
webkitgtk
≤ 2.48.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the insufficient validation of untrusted input in ANGLE and GPU components that enables the sandbox escape.

prevent

Enforces process isolation to prevent sandbox escapes resulting from the input validation flaw in Chrome's GPU processes.

prevent

Requires timely remediation of the specific flaw via patching to Chrome version 138.0.7204.157, eliminating the vulnerability.

References