Google Confirms Chrome Attacks—You Must Restart Your Browser
Chrome is under attack—again.
Here we go again. Google has just confirmed that Chrome is under attack from another zero-day vulnerability that affects Windows PCs. Again, this has been discovered by Google’s own Threat Analysis Group, triggering an emergency update.
Google warns it is “aware that an exploit for CVE-2025-6558 exists in the wild.” This specific vulnerability exploits the browser’s graphics rendering engine, which is likely being exploited by sophisticated threat actors given the nature of the discovery.
Google says the stable channel “has been updated to 138.0.7204.157/.158 for Windows, Mac and 138.0.7204.157 for Linux. This, it says, “will roll out over the coming days/weeks.” But that’s boilerplate. In reality, you can expect this over the next small number of days, and you should restart your browser as soon as it downloads.
Such is the shortness of gap between this zero-day and the last, that the U.S. government’s cyber defence agency’s update mandate is still ongoing. CISA has warned federal employees to update or stop using Chrome by July 23. You can now expect another CISA mandate to be issued in the next few days.
As ever, Google says “access to bug details and links may be kept restricted until a majority of users are updated with a fix.”
The latest Chrome update addresses other vulnerabilities as well as the zero-day, including two externally reported high-severity bugs. All told, this is definitely an update you should apply as soon as you can.
Chrome remains the de facto default browser on Windows, and so is one of the most prized attack surfaces available. Google takes credit for its quickness in developing and rolling out updates as new flaws are discovered. But attackers will know the clock is now ticking, making this the time of utmost risk for users.
Remember, when you restart Chrome your private (Incognito) windows will not reopen. So, make sure you save anything you need before applying the update.