Targeted Sectors

·         General consumer and enterprise users of Google Chrome/Chromium-based browsers

Countries

·         Global

BLUF

A high-severity vulnerability in the ANGLE graphics handling component of Google Chrome is under active exploitation, potentially allowing memory corruption or unexpected behavior via malicious web content.

On December 10 update addressed a newly discovered flaw tracked internally with the ID 466192044 at the time of release, a high-severity vulnerability that Google was aware was being actively exploited by attackers.

Date of First Reported Activity

·         December 10, 2025 (out of Band patch released)

o   Original patch was released in July 2025

Date of Last Reported Activity Update

·         December 14, 2025

CVE-2025-6558

CVSS 3.1

·         (8.8) AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Nessus ID

·         242124

o   Detects the vulnerability in Google Chrome for Windows systems.

·         242123

o   Detects the vulnerability in Google Chrome for macOS systems.

·         242192

o   Detects the vulnerability in Microsoft Edge (Chromium-based) for Windows.

·         247450

o   A generic plugin for Linux Distributions Unpatched Vulnerability.

·         249343

o   Specific plugin for RHEL 9 (RHSA-2025:13782)

Is CVE-2025-6558 on the KEV list?

·         Yes

What is the CISA patch by date

·         August 12, 2025

URL to the patching information

·         hxxps://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desktop_15.html

APT Names

·         This is not known at this time

Associated Criminal Organization Names

·         This is not known at this time

IOCs

Network-Based

Connections to unusual or malicious domains/IPs from browser processes (though exploits often fetch content locally or use data URIs).

Requests for specially crafted HTML/JavaScript files that trigger the vulnerability.

Endpoint/System-Based

Browser Crashes/Anomalies: Frequent Chrome crashes, rendering errors, or GPU-related errors just before a crash.

Sandbox Escape Attempts: Monitoring for processes attempting to run outside the Chrome sandbox, often indicated by unusual parent/child process relationships or file system/network access attempts by browser components.

File-Based (Less Common/Specific): While no generic file hashes are standard, look for specific malicious files if an exploit drops them (check vendor threat intelligence feeds for samples).

Behavioral

Crafted HTML/JavaScript: Detection of JavaScript that manipulates ANGLE/GPU functions to trigger memory corruption.

GPU Operations: Unusual or excessive GPU-related API calls in Chromium processes.

Tools Used in Campaign: Malicious web content.

TTPs: T1189 (Drive-by Compromise), T1204.001 (User Execution via Malicious Link/Website).

Malware Names

·         None specified at this time

Suggested rules / potential hunts

Suricata suggestions for network detection

This requires behavioral analysis over time, rather than a simple signature. Easiest way to perform this is by using data models

·         Block Known Malicious Infrastructure:

·         Monitor for Anomalous Traffic/User Agents:

·         Hunt for unusual spikes in network traffic by specific hosts/users after visiting certain sites.

SentinelOne Hunting Queries

Endpoint Detection

Query (Deep Visibility):

sql

Process Name Contains "chrome.exe" AND ChildProcName Not In ("chrome.exe", "googleupdate.exe", "msedge.exe") AND ChildProcName Ends With ".exe"

Hunt for command-line utilities (post-exploitation): Look for cmd.exe, powershell.exe, bash, curl, or wget being spawned by the browser process

sql

Process Name Contains "chrome.exe" AND ChildProcName In ("powershell.exe", "cmd.exe", "bash", "curl", "wget")

File Creation Events: The exploit may drop malicious files onto the system.

Query (Deep Visibility):

sql

Process Name Contains "chrome.exe" AND EventType = "File Creation" AND FilePath Contains "\AppData\Local\Temp\"

Use code with caution.

Splunk Hunting Queries

Look for connections to the known or suspected malicious domains.

Splunk Example

index=web proxy sourcetype="proxy:*" (url="*exploit-delivery.apt-activity.biz*" OR dest_ip="198.51.100.23")

Look for the anomalies mentioned in the SentinelOne section.

splunk

index=sentinelone sourcetype="sentinelone:*" EventType="Process Creation" ParentProcessName IN ("chrome.exe", "chromium") NOT ProcessName IN ("chrome.exe", "googleupdate.exe", "msedge.exe")

Anomalous Network Activity Spikes

Hunt for sudden spikes in outbound network traffic from browser-related processes to unusual destinations.

index=network sourcetype=* ProcessName IN ("chrome.exe", "chromium") | stats count by dest_ip, dest_port, user | where count > 100

Delivery Method

User visits a malicious website or is directed to one via social engineering.

Email Samples: Not applicable (web-based).

Patches released in stable channel versions 138.0.7204.157/.158 on December 10, 2025.

Chrome Stable Channel Update (Link points to the general Chrome Releases blog, specific URL subject to change)

References

Wiz IO

·         hxxps://www.wiz.io/vulnerability-database/cve/cve-2025-6558

NVD

·         hxxps://nvd.nist.gov/vuln/detail/CVE-2025-6558

SentinelOne

·         hxxps://www.sentinelone.com/vulnerability-database/cve-2025-6558/

Fidelis Security

·         hxxps://fidelissecurity.com/vulnerabilities/cve-2025-6558/

Security Weekly

·         hxxps://www.securityweek.com/google-patches-mysterious-chrome-zero-day-exploited-in-the-wild/

Business Standard

·         hxxps://www.business-standard.com/technology/tech-news/apple-and-google-release-security-updates-to-fix-zero-day-vulnerabilities-125121500344_1.html

Tenable

·         hxxps://www.tenable.com/cve/CVE-2025-6558/plugins

Chrome releases Google blog

·         hxxps://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desktop_15.html

Carnegie Mellon University

·         hxxps://www.cmu.edu/iso/news/2025/google-emergency-update.html