Google Fixes Fourth Actively Exploited Chrome Zero-Day of 2025
Google has released emergency updates to patch another Chrome zero-day vulnerability that was actively exploited in attacks, marking the fourth such flaw fixed since the start of the year. This latest update addresses a high-severity type confusion weakness in the Chrome V8 JavaScript engine, which can be used by attackers to execute arbitrary code on unpatched devices.
The vulnerability, identified as CVE-2025-6554, was discovered by Clément Lecigne of Google's Threat Analysis Group (TAG), a collective of security researchers focused on defending Google customers from state-sponsored and other similar attacks. The bug was exploited in the wild just days after it was reported to Google, highlighting the importance of rapid patching and updating.
"Google is aware that an exploit for CVE-2025-6554 exists in the wild," said the browser vendor in a security advisory issued on Monday. "This issue was mitigated on 2025-06-26 by a configuration change pushed out to Stable channel across all platforms." The company fixed the zero-day for users in the Stable Desktop channel, with new versions rolling out worldwide to Windows (138.0.7204.96/.97), Mac (138.0.7204.92/.93), and Linux users (138.0.7204.96) one day after the issue was reported to Google.
While security updates may take days or weeks to reach all users, according to Google, they were immediately available when BleepingComputer checked for updates earlier today. Users who prefer not to update manually can also rely on their web browser to automatically check for new updates and install them after the next launch.
The Impact of Zero-Day Exploits
Zero-day exploits, which are previously unknown vulnerabilities in software, can be particularly devastating because they allow attackers to execute arbitrary code on unpatched devices. While such flaws generally lead to browser crashes after successful exploitation by reading or writing memory out of buffer bounds, attackers can also exploit them to launch targeted attacks against high-risk individuals.
In this case, the zero-day bug fixed today is a type confusion weakness in the Chrome V8 JavaScript engine. This type of flaw can be used by attackers to manipulate the browser's behavior and execute malicious code on unpatched devices.
The Fourth Actively Exploited Chrome Zero-Day of 2025
This is the fourth actively exploited Google Chrome zero-day fixed since the start of the year, with three more patched in March, May, and June. The first, a high-severity sandbox escape flaw (CVE-2025-2783) reported by Kaspersky's Boris Larin and Igor Kuznetsov, was used in espionage attacks targeting Russian government organizations and media outlets with malware.
Google released another set of emergency security updates in May to address a Chrome zero-day (CVE-2025-4664) that can allow attackers to hijack accounts. One month later, the company addressed an out-of-bounds read and write weakness in Chrome's V8 JavaScript engine discovered by Google TAG's Benoît Sevens and Clément Lecigne.
Cloud Attacks and Zero-Day Exploits
While cloud attacks may be growing more sophisticated, attackers still succeed with surprisingly simple techniques. Drawing from Wiz's detections across thousands of organizations, this report reveals 8 key techniques used by cloud-fluent threat actors. Google patches new Chrome zero-day bug exploited in attacks CISA tags recently patched Chrome bug as actively exploited Google fixes Android zero-day exploited by Serbian authorities
Google tags a tenth Chrome zero-day as exploited this year Hackers exploited Windows WebDav zero-day to drop malware
About the Author
[Your Name] is a journalist with [Publication Name], covering technology and cybersecurity news. You can reach them at [Email Address] or follow them on Twitter @ [Twitter Handle].