Google has released a security update to address a vulnerability in the Chrome browser that has exploits in Wild.
The zero-day vulnerability tracked as CVE-2025-6554 (CVSS score: N/A) is described as a confusing flaw in the type of V8 JavaScript and WebAssembly engine.
“Confusion in the V8 type of Google Chrome prior to 138.0.0.7204.96 meant that Nist’s National Ulnerability Database (NVD) bug description “a remote attacker could perform arbitrary reads/writes via the created HTML page.”
Type confusion vulnerabilities can have serious consequences as they can be exploited to trigger unexpected software behavior, resulting in arbitrary code and program crashes.
Such zero-day bugs are particularly dangerous as attackers often start using them before the fix becomes available. In real attacks, these flaws allow hackers to install spyware, launch drive-by downloads, and quietly execute harmful code.
Clément Lecigne, Google’s Threat Analysis Group (TAG), is acknowledged to have discovered and reported the flaws on June 25, 2025, indicating that it may have been weaponized in a highly targeted attack.
The involvement of Google’s threat analysis group indicates that exploits may be related to targeted attacks in many cases. Tags typically investigate serious threats, such as phishing campaigns, zero-click exploits, or attempts to bypass the browser’s sandbox.
Tech Giant also noted that this issue was alleviated the next day by configuration changes pushed into stable channels across all platforms. For everyday users, that means that the threat may not be spreading yet, but applying a patch is still urgent, especially if you are in the role of processing sensitive or valuable data.
Google has not released any additional details about the vulnerability and the vulnerabilities that may have exploited it, but has admitted that “the exploitation of CVE-2025-6554 exists in the wild.”
CVE-2025-6554 is a 4th day zero-day vulnerability in Chrome, as Google deals with from the beginning of the year after CVE-2025-2783, CVE-2025-4664, and CVE-2025-5419. However, we note that it is not clear whether CVE-2025-4664 is abused in a malicious context.
To protect against potential threats, we recommend updating to Chrome browser 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for MACOS, and 138.0.7204.92/.93 for Linux.
If you’re not sure if your browser is up to date, go to Settings > Help > About Google Chrome. The latest updates should be automatically triggered. For businesses and IT teams managing multiple endpoints, enabling automated patch management and compliance with the monitoring browser version is important.
It is also recommended that users of other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi also apply the fix when it becomes available.
Source link
