Google has released an emergency security update for Chrome after confirming active exploitation of CVE-2025-6558, a high-severity vulnerability in the browser’s ANGLE and GPU components that carries a CVSS score of 8.8. The flaw, discovered by Google’s Threat Analysis Group on June 23, allows attackers to escape the browser’s sandbox, and is already being used in the wild. The out-of-band patch upgrades Chrome’s stable channel to version 138.0.7204.157 for Windows and Mac and 138.0.7204.157 for Linux, with a .158 build for some desktop systems. Google urges users to restart their browsers immediately; other Chromium-based browsers such as Microsoft Edge, Brave and Opera require similar action. In addition to the zero-day fix, the update corrects five other security issues, including CVE-2025-7656, an integer overflow in the V8 JavaScript engine, and CVE-2025-7657, a use-after-free flaw in WebRTC. CVE-2025-6558 is the fifth Chrome zero-day Google has patched in 2025, following CVE-2025-6554 and three earlier critical bugs. Forbes reports that CISA is expected to extend its existing July 23 update mandate for federal agencies to cover the latest patch, underscoring the urgency of applying the new build across Windows, macOS and Linux installations.