CVE-2025-6558

What is Chrome's ANGLE and GPU Process?

Chrome uses a multi-process architecture where a separate GPU process handles all GPU-accelerated rendering on behalf of the browser and renderer processes. The ANGLE (Almost Native Graphics Layer Engine) library translates OpenGL ES API calls to the native GPU API (Direct3D on Windows, Metal on macOS, Vulkan on Linux). The GPU process has broader system access than the highly sandboxed renderer process — making GPU-path vulnerabilities particularly valuable for sandbox escape.

Overview

CVE-2025-6558 is an improper input validation vulnerability (CWE-20) in Chrome's ANGLE graphics library and GPU process. Insufficient validation of GPU rendering commands generated by web content allows a crafted HTML page to trigger the vulnerability in the Chrome GPU process — enabling a potential sandbox escape from the more-restricted renderer process context to the less-restricted GPU process context. This is the fifth Chrome zero-day of 2025. CISA added it to the KEV catalog on July 22, 2025 (one week after the patch) with a 21-day deadline.

Affected Versions

Technical Details

The improper input validation (CWE-20) in ANGLE and the GPU process allows a crafted web page to send malformed or unexpected GPU commands through Chrome's rendering pipeline. When the GPU process receives these commands, the lack of proper input validation allows unexpected code paths that could lead to memory corruption or sandbox escape.

Sandbox escape significance: Chrome's architecture uses multiple isolation levels:

• Renderer process: highly sandboxed, limited OS access — where malicious JavaScript/WebGL runs
• GPU process: less sandboxed, can access more OS resources — needed for hardware GPU interaction

A renderer-to-GPU-process escape (achieved via this vulnerability) gives an attacker significantly more OS access than a renderer sandbox, and may be chained with further exploits to achieve full system compromise.

Delivery: Victim visits a malicious or compromised web page containing WebGL or GPU-intensive content that triggers the validation flaw.

Discovery

Reported to Google's Chrome security team (internal discovery per the Chrome release blog). Zero-day exploitation was confirmed before the July 15, 2025 patch.

Exploitation Context

Confirmed active exploitation before July 15, 2025. CISA added to KEV July 22. GPU process sandbox escapes are a recurring Chrome attack surface — CVE-2024-4947 (2024), CVE-2025-6558 (this CVE), and others in the series demonstrate sustained attacker research into the GPU process as an upgrade path from renderer sandbox compromise.

Remediation

1. Update Chrome to 138.0.7204.157 or later immediately. The CISA deadline was August 12, 2025.
2. Update all Chromium-based browsers: Edge, Brave, Opera, Vivaldi, and others all use the same ANGLE library and need vendor-specific updates.
3. Enable automatic Chrome updates — the most reliable way to receive zero-day patches promptly.
4. Note that this is the fifth Chrome zero-day of 2025 — sustained browser update cadence is essential in the current threat environment.