Google patches another zero-day in Chrome that has been actively exploited

[harlan4096]

Google has released an emergency update to patch a zero-day vulnerability in Chrome. The security flaw has been exploited in the wild.

On June 25, 2025, security researchers, Clement Lecigne and Benoît Sevens of Google Threat Analysis Group, had discovered an exploit that is tracked as CVE-2025-6554. The issue has a high security severity rating. The zero-day threat is described as a type confusion in V8 (JavaScript engine) in Chrome. Google says that it mitigated the security issue on June 27, by making a by a configuration change that has been pushed out to Stable channel across all platforms.

The fix is available as part of Chrome 138.0.7204.96/.97 for Windows, and is rolling out 138.0.7204.92/.93 for Mac and 138.0.7204.96 for Linux. The patch notes mentions that Google is aware that an exploit for the security flaw exists in the wild.

Bleeping Computer reports this is the fourth actively exploited flaw that has been discovered/patched in Chrome since the start of the year. Chrome 134.0.6998.177/.178, which was released in March 2025, patched CVE-2025-2783, that was reported by Kaspersky researchers, and described an exploit was used to escape Chrome's sandbox on Windows. This exploit targeted media outlets, educational institutions and government organizations in Russia.

Continue Reading...