U.S. CISA Adds Google Chromium V8 Flaw to Its Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in the Google Chromium browser to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the ongoing threat landscape for individuals and organizations relying on these software applications.

The added vulnerability, CVE-2025-6554, is a type-confusing issue that resides in the V8 JavaScript and WebAssembly engine, allowing a remote attacker to perform arbitrary read/write operations via a crafted HTML page. According to NIST, this flaw was discovered by Clément Lecigne of Google's Threat Analysis Group on June 25, 2025.

The Impact of Type Confusion Vulnerabilities

Type confusion vulnerabilities occur when a program mistakenly treats a piece of data as a different type than it actually is, leading to unintended behavior. This mismatch can cause memory corruption, crashes, or allow an attacker to execute arbitrary code. The existence of such vulnerabilities highlights the importance of staying informed about software updates and patches to mitigate potential threats.

Chrome Stable has been updated to version 138.0.7204.x for Windows, Mac, and Linux, rolling out in the coming days/weeks.

The Fourth Chrome Zero-Day Patched by Google in 2025

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025, following previous vulnerabilities that have been exploited by threat actors. The recent additions to the KEV catalog underscore the need for organizations and individuals to prioritize software security and implement timely patching.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

CISA Orders Federal Agencies to Fix the Vulnerability

CISA has ordered federal agencies to fix the vulnerability by July 23, 2025. Experts also recommend that private organizations review the KEV catalog and address the vulnerabilities in their infrastructure to prevent potential attacks.

Experts emphasize the importance of staying informed about software updates and patches to mitigate potential threats. By prioritizing software security and implementing timely patching, individuals and organizations can reduce the risk of falling victim to exploits like CVE-2025-6554.

Stay Informed

To stay up-to-date on the latest security news and advisories, follow me on Twitter: @securityaffairs and Facebook and Mastodon.