Vulnerability description
CVE-2025-6554 is a type confusion vulnerability in the V8 engine in Google Chrome. In Google Chrome before version 138.0.7204.96, a remote attacker can perform arbitrary read and write operations by crafting a malicious HTML page.
Vulnerability affects versions
Google Chrome version is lower than 138.0.7204.96.
Vulnerability Technical Details
CVE-2025-6554 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engines. Type obfuscation vulnerabilities can have serious consequences as they can be exploited to trigger unexpected software behavior that can lead to arbitrary code execution and program crashes.
Vulnerability impact surface assessment
The vulnerability is a zero-day exploit, which means that attackers start exploiting it before a fix is available. In a real-world attack, these vulnerabilities could allow hackers to install spyware, initiate drive-by downloads, or silently run harmful code, sometimes simply by getting users to open malicious websites.
The vulnerability was discovered and reported by Clément Lecigne of Google's Threat Analysis Group (TAG) on June 25, 2025, suggesting that it may have been used in a highly targeted attack that could have involved state-sponsored attackers or surveillance operations.The TAG typically detects and investigates serious threats such as government-sponsored attacks.
Google also noted that the issue was mitigated the next day with a configuration change that was pushed to the stable channel for all platforms. For regular users, this means that the threat may not be widespread yet, but it still needs to be patched urgently, especially if you deal with sensitive or high-value data.
CVE-2025-6554 is the fourth Chrome zero-day vulnerability that Google has addressed since the beginning of the year, joining CVE-2025-2783, CVE-2025-4664, and CVE-2025-5419; however, it's worth noting that it's unclear whether CVE-2025-4664 has been maliciously exploited.
Vulnerability remediation recommendations
To protect against potential threats, it is recommended to update Chrome to 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for macOS and 138.0.7204.96 for Linux.
If you're not sure if your browser has been updated, go to Settings > Help > About Google Chrome. -It should automatically trigger the latest update. For organizations and IT teams managing multiple endpoints, it's critical to enable automatic patch management and monitor browser version compliance.
Users of other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fix as soon as it becomes available.