CVE-2025-6558: Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially perform a sandbox…

high8.8CVSS 3.1

AVNACLPRNUIRSUCHIHAH

KEV

CISA Known Exploited Vulnerabilitydue 2025-08-12

Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Affected

27 ranges· showing 25

Vendor	Product	Version range	Fixed in
apple	ios_18.6_and_ipados	—	—
apple	ipados	< 18.6	18.6
apple	ipados	—	—
apple	iphone_os	< 18.6	18.6
apple	macos	< 15.6	15.6
apple	macos_sequoia	—	—
apple	safari	< 18.6	18.6
apple	safari	—	—
apple	tvos	—	—
apple	visionos	< 2.6	2.6
apple	visionos	—	—
apple	watchos	< 11.6	11.6
apple	watchos	—	—
chromium	chromium	>= 0 < 138.0.7204.157-1~deb12u1	138.0.7204.157-1~deb12u1
chromium	chromium	>= 0 < 138.0.7204.157-1	138.0.7204.157-1
chromium	chromium	>= 0 < 138.0.7204.157-1	138.0.7204.157-1
debian	chromium	< chromium 138.0.7204.157-1~deb12u1 (bookworm)	chromium 138.0.7204.157-1~deb12u1 (bookworm)
debian	debian_linux	—	—
debian	webkit2gtk	< chromium 138.0.7204.157-1~deb12u1 (bookworm)	chromium 138.0.7204.157-1~deb12u1 (bookworm)
debian	wpewebkit	< chromium 138.0.7204.157-1~deb12u1 (bookworm)	chromium 138.0.7204.157-1~deb12u1 (bookworm)
google	chrome	< 138.0.7204.157	138.0.7204.157
google	chrome	>= 138.0.7204.157 < 138.0.7204.157	138.0.7204.157
google	chrome_chrome	—	—
msrc	microsoft_edge	—	—
paloalto	prisma_browser	—	—

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

osv8.8HIGH

vulncheck8.8HIGH

cisa8.8HIGH