A critical security flaw in Google Chrome that was being actively exploited has been patched by the company.
The issue, tracked as CVE-2025-6554, is a type confusion vulnerability in Chrome’s V8 JavaScript and WebAssembly engine.
This flaw allowed attackers to perform arbitrary read and write operations by luring users to open specially crafted web pages. Google confirmed the vulnerability was already being exploited in the wild.
Flaw Detected by Google Threat Team
The bug was reported on June 25 by Clément Lecigne from Google’s Threat Analysis Group (TAG), a team known for uncovering sophisticated attacks linked to nation-state actors.
According to the National Vulnerability Database (NVD), the flaw affects Chrome versions before 138.0.7204.96 and could allow attackers to execute arbitrary code or crash programs.
The next day, on June 26, Google deployed a configuration change to the Stable channel across all platforms, mitigating the risk for users on Windows (versions 138.0.7204.96/.97), macOS (138.0.7204.92/.93) and Linux (138.0.7204.96).
Type Confusion: A High-Impact Vulnerability
Type confusion errors can have serious security implications. When a program incorrectly assumes the type of an object, attackers can manipulate the software to access memory out of bounds. This opens the door to:
-
Arbitrary code execution
-
Drive-by downloads
-
Spyware installations
-
Silent data exfiltration
Read more on zero-day vulnerabilities in modern browsers: Russian RomCom APT Group Leverages Zero-Day Flaws in Firefox and Windows
TAG’s involvement suggests that the exploit may have been part of targeted campaigns against high-profile individuals, such as journalists, dissidents or political opponents. Google, however, has not disclosed technical details or confirmed who was targeted, citing user protection and ongoing patching as reasons for withholding information.
Urgent Update Advised for Chrome and Chromium-Based Browsers
While most users will receive the fix automatically, manual updates can be triggered by visiting Settings > Help > About Google Chrome.
Organizations managing multiple endpoints should ensure patch compliance and activate automated browser updates to maintain optimal security.
Other browsers built on Chromium, including Microsoft Edge, Brave, Opera and Vivaldi, are also potentially impacted and should be updated once fixes are released.
With CVE-2025-6554, Google has now addressed four zero-days this year. These earlier flaws included sandbox escapes and out-of-bounds memory weaknesses, one of which was linked to espionage campaigns targeting Russian institutions.
Image credit: viewimage / Shutterstock.com
No tags.
