Google has issued a critical security update for Chrome versions 138.0.7204.157 and 138.0.7204.158 across Windows, macOS, and Linux, closing several vulnerabilities that pose significant risks to users. One of these vulnerabilities is actively being exploited, highlighting the urgency of installing the update immediately.
The vulnerabilities were publicly disclosed by external security researchers and patched by Google in response. Two of the most serious flaws—tracked as CVE-2025-7656 and CVE-2025-7657—carry high-risk ratings. CVE-2025-7656 is an integer overflow issue within the V8 JavaScript engine, which could lead to memory corruption or crashes. CVE-2025-7657 is a use-after-free bug in WebRTC, potentially enabling remote attackers to run arbitrary code during real-time communications.
Another critical vulnerability, CVE-2025-6558, involves the ANGLE graphics library and GPU components where improper checks on untrusted user input may allow malicious code injection. This flaw could be exploited by attackers to compromise the security of a user’s device through graphics processing channels.
Chrome updates itself automatically in most cases, but users can check manually by going to the menu and selecting Help > About Google Chrome. The fixes also extend to Chrome mobile versions on Android (138.0.7204.157) and iOS (138.0.7204.156).
Other Chromium-based browsers such as Microsoft Edge, Brave, and Vivaldi will likely follow with their own patches, but some like Opera are still running older Chromium versions with unresolved vulnerabilities.
Looking ahead, Google is planning to release Chrome 139 in early August, continuing its proactive approach to browser security.