244/68 Friday, July 4, 2025
Google has issued a security update to patch a zero-day vulnerability, CVE-2025-6554, that has been actively exploited in the wild. The flaw lies in Chrome’s V8 JavaScript and WebAssembly engine and is classified as a type confusion vulnerability. It allows attackers to perform unauthorized read and write operations in memory via specially crafted HTML pages and can potentially lead to remote code execution.
According to NIST, the vulnerability results from improper handling of data types, enabling attackers to exploit memory access via malicious HTML content.
This marks the fourth zero-day vulnerability that Google has addressed in 2025. Previous critical patches include:
- CVE-2025-5419: An out-of-bounds read/write vulnerability in V8 used in active attacks.
- CVE-2025-4664: A vulnerability potentially leading to full account takeover.
- CVE-2025-2783: An incorrect handle vulnerability in Mojo on Windows, exploited in attacks targeting Russia.
Users are strongly advised to update Google Chrome to the latest version (138.0.7204.x) on Windows, macOS, and Linux immediately to close this attack vector and reduce the risk of broader cyber threats.
