Google has shipped a security update for Chrome addressing a high-severity vulnerability in the V8 JavaScript engine that is already being exploited in the wild.
Tracked as CVE-2025-6554, the flaw is categorized as a type confusion issue in V8 and was reported on June 25, 2025, by Clément Lecigne of Google’s Threat Analysis Group (TAG).
According to Google’s security bulletin, the flaw was mitigated just one day later, on June 26, via a configuration-level change, and a broader patch has now been rolled out in version 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for macOS, and 138.0.7204.96 for Linux. The company confirmed that CVE-2025-6554 is under active exploitation, though it has withheld technical details to prevent further abuse until the majority of users apply the update.
V8 is the open-source JavaScript and WebAssembly engine that powers Chrome and other Chromium-based browsers. It is responsible for executing JavaScript code on web pages, making it central to the modern web browsing experience. Because V8 handles code from untrusted sources, such as scripts embedded in websites, it is an attractive attack surface for threat actors looking to escalate privileges or escape the browser sandbox.
Type confusion vulnerabilities in V8 occur when the engine incorrectly assumes the type of a value, allowing attackers to bypass memory safety mechanisms. These bugs can often be exploited to execute arbitrary code in the context of the browser process, potentially giving attackers access to sensitive data, session tokens, or even enabling follow-up attacks such as malware delivery or spyware implantation.
While Google has not disclosed how the current exploit is being used in the wild, the fact that it was reported by TAG, a division specializing in state-sponsored threats, suggests possible use in targeted attacks. Historically, vulnerabilities in V8 have been weaponized in campaigns against high-profile targets, including journalists, dissidents, and IT administrators.
Chrome remains the world’s most widely used browser, with an estimated 3.5 billion users across desktop and mobile platforms. Given this vast attack surface, even a limited exploit campaign could pose a significant risk, especially if users delay patching or use Chromium-based browsers that have yet to adopt the fix.
Chrome users on all desktop platforms are advised to update to the latest stable version as soon as possible. The update may be applied automatically, but manual checking is recommended:
- Open Chrome.
- Navigate to
chrome://settings/help. - Allow Chrome to check for updates and restart when prompted.
Given the exploit is actively being used in attacks, this patch should be treated as a priority.
Leave a Reply