Update Chrome now to avoid a newly found zero-day vulnerability

Google has released an important update for Chrome, fixing several vulnerabilities in new Chrome versions 138.0.7204.157/158 for Windows and macOS and 138.0.7204.157 for Linux. According to Google, one of the vulnerabilities is already being exploited by attacks in the wild. Other Chromium-based browsers should follow suit in the coming days.

In the Chrome Releases blog post, Srinivas Sista lists the two vulnerabilities that were discovered by external security researchers and reported to Google. Google classifies these two vulnerabilities (CVE-2025-7656 and CVE-2025-7657) as high risk. These include an integer overflow in the V8 JavaScript engine and a use-after-free vulnerability in the WebRTC component.

Srinivas Sista also lists a third vulnerability with a high risk potential: CVE-2025-6558. The cause of this error is that untrusted user input (or data originating from outside the browser) is not checked carefully enough in the ANGLE graphics library and in the GPU component. Attackers can exploit this to inject and execute malicious code. Google remains silent about the other internally discovered vulnerabilities.

As a rule, Chrome updates itself automatically when a new version is available. You can manually trigger the update check using the menu item Help > About Google Chrome. Google has also released Chrome for Android 138.0.7204.157 and Chrome for iOS 138.0.7204.156, which fix the same vulnerabilities as in the desktop versions.

The manufacturers of other Chromium-based browsers are now required to follow suit with their own security updates. Microsoft Edge, Brave, and Vivaldi are currently at the security level prior to this Chrome update. Meanwhile, Opera 120.0.5543.61 is still on outdated Chromium 135 from April with its many security vulnerabilities still in play.

Google plans to release Chrome 139 at the beginning of August.