Google has taken swift action to mitigate a critical zero-day vulnerability affecting its Chrome browser, following reports that an exploit exists in the wild. The security flaw, identified as CVE-2025-6554, which scores high on the vulnerability scale, is classified as a type confusing flaw originating in the V8 JavaScript and WebAssembly engine. Hackers could exploit this flaw via a malicious HTML page, leading to arbitrary read/write actions on users’ systems.
According to a description provided by the NIST’s National Vulnerability Database (NVD), type confusion vulnerabilities can severely impact software behavior, enabling the execution of arbitrary code and potential program crashes. These vulnerabilities often pose a significant risk, as attackers may utilize them before a patch is roll out, leading to widespread compromise.
Clément Lecigne from Google’s Threat Analysis Group (TAG) discovered and reported CVE-2025-6554 on June 25, hinting at possible nation-state involvement in recent attacks utilizing this vulnerability. TAG typically investigates high-stakes threats such as government-backed intrusions. Google reported having mitigated the issue within a day by a configuration change that affected the Stable channel across all platforms, suggesting that while the threat may not be widespread, users should act quickly to update their systems.
Google has since urged users to upgrade their Chrome browsers to versions 138.0.7204.96/.97 for Windows and 138.0.7204.92/.93 for macOS, emphasizing the urgency for those handling sensitive data. Businesses managing multiple endpoints are particularly encouraged to enable automatic patching and monitor version compliance to safeguard against potential compromises. Users of other Chromium-based browsers like Microsoft Edge, Brave, and Opera should also remain vigilant and update their systems as patches become available.