{"id":516,"date":"2026-01-19T07:11:00","date_gmt":"2026-01-18T21:11:00","guid":{"rendered":"https:\/\/qld.cybersafebusiness.au\/index.php\/2026\/01\/19\/google-patches-fifth-chrome-zero-day-in-2025-amid-active-exploitation\/"},"modified":"2026-01-19T07:11:00","modified_gmt":"2026-01-18T21:11:00","slug":"google-patches-fifth-chrome-zero-day-in-2025-amid-active-exploitation","status":"publish","type":"post","link":"https:\/\/qld.cybersafebusiness.au\/index.php\/2026\/01\/19\/google-patches-fifth-chrome-zero-day-in-2025-amid-active-exploitation\/","title":{"rendered":"Google Patches Fifth Chrome Zero-Day in 2025 Amid Active Exploitation"},"content":{"rendered":"<p>July 2025 \u2013 Google has released a new round of Chrome security updates addressing six vulnerabilities, including a zero-day flaw actively exploited in the wild. This marks the fifth zero-day vulnerability patched in Chrome so far this year, underscoring the ongoing risks facing businesses and individuals who rely on web-based platforms.<\/p>\n<h3>What\u2019s the Critical Issue?<\/h3>\n<p>The most serious of the patched vulnerabilities is tracked as CVE-2025-6558, a flaw affecting Chrome\u2019s ANGLE and GPU components. ANGLE (Almost Native Graphics Layer Engine) is an open-source graphics engine used in Chrome and Firefox on Windows to render web content. Chrome\u2019s GPU component, similarly, helps render graphics and video.<\/p>\n<p>According to the National Institute of Standards and Technology (NIST), this vulnerability stems from improper validation of untrusted input, which can be triggered by specially crafted HTML pages. If successfully exploited, the flaw could allow remote attackers to escape Chrome\u2019s security sandbox, a key protection designed to isolate browser processes and limit potential damage.<\/p>\n<p>Google has confirmed that exploitation of this flaw is occurring in the wild, though technical details about the nature or scope of the attacks have not yet been disclosed.<\/p>\n<h3>Who Reported It?<\/h3>\n<p>The flaw was discovered by Cl\u00e9ment Lecigne and Vlad Stolyarov from Google\u2019s Threat Analysis Group (TAG). This team is well known for identifying and tracking threats linked to commercial spyware vendors\u2014raising concerns that this vulnerability may have been abused in targeted surveillance campaigns.<\/p>\n<h3>Additional Vulnerabilities Addressed<\/h3>\n<p>Alongside the zero-day, Google has also patched the following vulnerabilities:<\/p>\n<ul>\n<li>CVE-2025-7656: An integer overflow bug in Chrome\u2019s V8 JavaScript engine, reported by an external researcher. This issue could potentially allow attackers to manipulate memory and execute malicious code.\n<\/li>\n<li>CVE-2025-7657: A use-after-free vulnerability in WebRTC (used for real-time communications like video calls), also reported by an external contributor.\n<\/li>\n<\/ul>\n<p>For their discovery, Google awarded a $7,000 bounty for the V8 bug, though the bounty amount for the WebRTC issue has not yet been disclosed. As per Google\u2019s policy, no reward is given for vulnerabilities discovered internally, such as the CVE-2025-6558 zero-day.<\/p>\n<h3>Update Rolling Out Now<\/h3>\n<p>The latest Chrome update is being deployed as:<\/p>\n<ul>\n<li>Version 138.0.7204.157\/.158 for Windows and macOS\n<\/li>\n<li>Version 138.0.7204.157 for Linux\n<\/li>\n<\/ul>\n<p>Google urges all users to update their browsers immediately to ensure their systems are protected.<\/p>\n<h3>Why This Matters to Your Business<\/h3>\n<p>Zero-day vulnerabilities pose a serious threat because they are exploited before patches are available, often giving attackers a critical window of opportunity to infiltrate systems. In this case, attackers may be able to bypass key browser protections, potentially exposing sensitive business data or opening paths for further compromise.<\/p>\n<p>At CSB, we want to ensure our clients stay ahead of emerging threats. If your organisation uses Google Chrome\u2014and most businesses do\u2014make sure all systems are running the latest version. Consider working with your IT team or managed services provider to apply updates across all devices in your network.<\/p>\n<h3>CSB\u2019s Recommendations<\/h3>\n<p>To reduce your exposure to browser-based threats:<\/p>\n<ul>\n<li>Enable automatic browser updates across all workstations and devices.\n<\/li>\n<li>Regularly audit browser extensions and installed software, especially on machines used by developers or executives.\n<\/li>\n<li>Educate employees about suspicious websites, phishing attempts, and the importance of keeping software up to date.\n<\/li>\n<li>Work with a cybersecurity partner to monitor threats and respond quickly when vulnerabilities are disclosed.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>July 2025 \u2013 Google has released a new round of Chrome security updates addressing six vulnerabilities, including a zero-day flaw actively exploited in the wild. This marks the fifth zero-day [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":515,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[],"tags":[],"class_list":["post-516","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry"],"_links":{"self":[{"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/posts\/516","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/comments?post=516"}],"version-history":[{"count":0,"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/posts\/516\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/media\/515"}],"wp:attachment":[{"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/media?parent=516"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/categories?post=516"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/tags?post=516"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}