Google patches actively exploited Chrome (CVE‑2025‑6554)

Google has released a security update for Chrome to address a zero‑day vulnerability (CVE-2025-6554) that its Threat Analysis Group (TAG) discovered and reported last week.

“Google is aware that an exploit for CVE-2025-6554 exists in the wild,” the company said.

About CVE-2025-6554

CVE-2025-6554 is a type confusion vulnerability in V8, the JavaScript and WebAssembly engine at the heart of Chrome and Chromium-based browsers.

Remote, unauthenticated attackers can exploit this flaw by serving crafted HTML pages to targets. The pages may trigger the flaw and allow them to execute arbitrary read/write operations. In some cases, this could lead to full remote code execution.

As per usual, Google has withheld exploit details pending broad deployment of the fix. But given that the vulnerability was discovered by Clément Lecigne of Google’s TAG, it’s likely that it is being leveraged in extremely targeted and likely state-sponsored attacks.

For example, a zero-day V8 flaw patched in August 2024 has been leveraged by a North Korean threat actor to target organizations in the cryptocurrency sector

Update quickly

The vulnerability was reported by the researchers on June 25, 2025. The day after, Google pushed out a configuration change to the Chrome Stable channel across all platforms, as a temporary mitigation.

CVE-2025-6554 has now been fixed in:

  • Chrome v138.0.7204.96/.97 for Windows
  • Chrome v138.0.7204.92/.93 for Mac
  • Chrome v138.0.7204.96 for Linux

Because the flaw is being actively exploited in the wild, users are urged to update quickly.

Depending on your operating system and whether Chrome auto-updating is enabled, you can either apply the update manually or simply restart the browser to implement the fix.

Security updates for Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi are still in the works.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

Don't miss