Patch Your Web Browser! New Security Flaw in Chrome Exploited by Hackers

Google is rolling out updates to Chrome users worldwide to address a security weakness said to be exploited by threat actors.

“The Stable channel has been updated to 138.0.7204.157/.158 for Windows, Mac and 138.0.7204.157 for Linux which will roll out over the coming days/weeks,” reads the latest entry on the Google Chrome Releases blog. “A full list of changes in this build is available in the Log.”

The update includes six security fixes, some more serious than others. One is said to have a working exploit, and threat actors have likely used it to compromise targets.

‘Incorrect validation’

The more serious flaw, tracked as CVE-2025-6558, is described as an “Incorrect validation of untrusted input in ANGLE and GPU.”

Incorrect validation of untrusted input occurs when the system doesn't properly check external sources. The error can lead to vulnerabilities that attackers can exploit to access deeper parts of the system and execute malicious code.

Reported last month by Clément Lecigne and Vlad Stolyarov of Google's Threat Analysis Group, the flaw is said to have a working exploit in the wild, meaning criminals may have already used it.

The advisory mentions:

Google is aware that an exploit for CVE-2025-6558 exists in the wild.

According to the NIST National Vulnerability Database, “Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.”

Unpatched vulnerabilities in Chrome, the world’s most used web browser, have been leveraged to conduct spyware attacks.

Google rates the bug’s severity as “high.”

Bug details restricted

In typical fashion, Google is holding off the technicalities to keep opportunistic exploits at bay.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” the search titan says. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”

Google has patched similarly-risky flaws in Chrome this year, including:

A flaw that could be exploited to take over accounts

A ‘GPU’ issue exploited in the macOS version of Chrome

A vulnerability said to have been exploited in an espionage campaign

Update your browser!

As of today, Chrome users should be on:

Chrome 138.0.7204.157/.158 on Windows and Mac

Chrome 138.0.7204.157 on Linux

Chrome 138.0.7204.156 on iOS

Chrome 138.0.7204.157 on Android

Even if you don’t consider yourself a target for hackers, Bitdefender recommends you deploy the latest updates for all your personal devices as soon as they're available, especially when the vendor rates the risk level as high – and even more so if the issues may be exploited in the wild.

The desktop version of Chrome automatically checks for the latest version every time it relaunches. If you haven’t closed Chrome in a while, you can start the process manually. Visit the three-dotted options menu, choose Settings -> About Chrome, and let the browser fetch the latest version from Google’s servers. When prompted, relaunch Chrome.

iPhone users are unaffected by the exploitable issue described above. With this update, Google keeps the versioning on par with the usual “stability and performance improvements” for Chrome users on iOS.

Android users, though, might want to update sooner.

As Google’s security advisories mention periodically, the Android version of Chrome usually gets the same security fixes as the desktop version of the web browser – unless Google notes otherwise. To patch Chrome on your Android device, visit the Google Play Store and download the latest version.

For peace of mind, consider running a security solution on all your devices, including your phone.