Critical Zero-Day Flaw in Google Chrome Addressed by Apple, Safeguarding Users

TL;DR

Apple has released security updates to address a critical zero-day vulnerability in Google Chrome, tracked as CVE-2025-6558. This vulnerability could allow remote attackers to escape the sandbox environment via specially crafted HTML pages. The flaw has been added to the CISA’s Known Exploited Vulnerabilities catalog.

Apple Addresses High-Severity Zero-Day Vulnerability in Google Chrome

Overview

Apple has recently issued a series of security updates to mitigate a high-severity vulnerability, identified as CVE-2025-6558 with a CVSS score of 8.8. This vulnerability has been actively exploited in zero-day attacks targeting Google Chrome users.

Vulnerability Details

The vulnerability exists due to insufficient validation of untrusted input in ANGLE (Almost Native Graphics Layer Engine) and GPU components in Google Chrome versions prior to 138.0.7204.157. This flaw allows remote attackers to potentially perform a sandbox escape through crafted HTML pages, posing a significant risk to user security.

ANGLE is an open-source graphics engine developed by Google, serving as a compatibility layer between OpenGL ES and other graphics APIs such as Direct3D, Vulkan, and Metal.

Discovery and Reporting

The vulnerability was initially reported by Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group (TAG) on June 23, 2025. Google’s TAG is renowned for investigating attacks by nation-state actors and commercial spyware vendors, indicating that the exploit may have been used by sophisticated threat actors in real-world scenarios.

Government Advisory

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog this week, highlighting the urgent need for users to apply the necessary patches.

Apple’s Response

Apple acknowledged the severity of the issue and promptly released WebKit security updates to address CVE-2025-6558 across multiple products:

• iOS 18.6 and iPadOS 18.6: Affects iPhone XS and later, various iPad Pro models, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
• macOS Sequoia 15.6: Affects Macs running macOS Sequoia.
• iPadOS 17.7.9: Affects iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation.
• visionOS 2.6: Affects Apple Vision Pro.
• watchOS 11.6: Affects Apple Watch Series 6 and later.
• tvOS 18.6: Affects Apple TV HD and Apple TV 4K (all models).

Apple users are strongly advised to update their devices to the latest versions to protect against this critical vulnerability.

Conclusion

The swift action taken by Apple to address CVE-2025-6558 underscores the importance of timely security updates in safeguarding users against evolving cyber threats. By staying vigilant and applying the necessary patches, users can significantly enhance their digital security and mitigate the risks associated with zero-day exploits.

Additional Resources

For further insights, check:

• Google’s official alert on CVE-2025-6558
• Apple’s advisory on the vulnerability

References