Google has released urgent security updates for Chrome to address a critical zero-day vulnerability, CVE-2025-6554, which is actively being exploited in the wild. This flaw is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine, the core component responsible for running JavaScript in Chrome and other Chromium-based browsers.
Technical Details
• Vulnerability Type: Type confusion in V8 JavaScript/WebAssembly engine
• CVE Identifier: CVE-2025-6554
• Severity: High (CVSS score not yet assigned)
• Affected Versions: Chrome versions before 138.0.7204.96/.97 (Windows), 138.0.7204.92/.93 (macOS), and 138.0.7204.96 (Linux).
• Discovery: Reported by Clément Lecigne of Google’s Threat Analysis Group (TAG) on June 25, 2025.
Exploitation and Impact
• Attack Method: Remote, unauthenticated attackers can exploit this vulnerability by luring users to visit specially crafted HTML pages. These pages can trigger the flaw, allowing attackers to perform arbitrary read and write operations in the browser’s memory.
• Potential Consequences: Successful exploitation can lead to arbitrary code execution, enabling attackers to install spyware, execute drive-by downloads, or compromise the system, potentially resulting in full system takeover.
• Active Exploitation: There is confirmed evidence that this vulnerability is being exploited in the wild, likely in targeted attacks, possibly by state-sponsored actors or commercial spyware vendors.
Response and Mitigation
• Patch Release: Google pushed out a configuration change for temporary mitigation on June 26, 2025, and has since released patched versions for all major platforms.
• Update Instructions: Users are strongly advised to update their Chrome browsers immediately. The update can be applied by restarting the browser or manually checking for updates under Settings > Help > About Google Chrome.
• Other Browsers: Security updates for other Chromium-based browsers (Edge, Brave, Opera, Vivaldi) are still pending.
Broader Context
This is the fourth actively exploited Chrome zero-day vulnerability addressed by Google this year, highlighting ongoing risks from sophisticated attackers. Google’s TAG, which focuses on defending against state-sponsored threats, discovered this flaw, suggesting that high-risk individuals (e.g., journalists, dissidents, politicians) may be primary targets. Users and organizations should update Chrome to the latest version without delay to protect against ongoing attacks leveraging this vulnerability.
