Google has issued an emergency security update for Chrome to address a critical zero-day vulnerability that cybercriminals are actively exploiting in targeted attacks. The flaw, designated CVE-2025-6554, represents the fourth Chrome zero-day patched by Google in 2025, highlighting an alarming escalation in browser-based threats.
The vulnerability stems from a type confusion error in V8, Chrome's JavaScript and WebAssembly engine that powers web content execution. Type confusion vulnerabilities occur when the browser incorrectly interprets data types, creating memory corruption that attackers can exploit to execute malicious code.
Google's Threat Analysis Group (TAG) discovered and reported the vulnerability on June 25, 2025, with the company acknowledging that "an exploit for CVE-2025-6554 exists in the wild." This discovery pattern suggests the flaw is likely being weaponized in highly targeted, potentially state-sponsored attacks—a concerning trend given TAG's focus on advanced persistent threats.
The attack vector is particularly insidious. Cybercriminals can exploit this vulnerability by serving victims crafted HTML pages that trigger the type confusion flaw. When successful, attackers gain the ability to perform arbitrary read and write operations in browser memory, potentially escalating to full remote code execution on the victim's system.
"The vulnerability was discovered by Clément Lecigne of Google's TAG, which typically indicates involvement in extremely targeted and likely state-sponsored attacks," security researchers noted, drawing parallels to previous V8 zero-days leveraged by North Korean threat actors against cryptocurrency organizations.
Google implemented a temporary mitigation through a configuration change pushed to Chrome's Stable channel on June 26, before releasing comprehensive fixes. The patched versions include Chrome 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for Mac, and 138.0.7204.92 for Linux.
The company has withheld specific exploit details pending widespread update deployment, following standard vulnerability disclosure practices. However, with proof-of-concept code now reportedly available on GitHub, the window for exploitation may be widening.
Users should immediately update Chrome by navigating to Settings > About Chrome or simply restarting their browser if auto-updates are enabled. Organizations should prioritize this update given the active exploitation status. Security updates for other Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, are still pending.