Google Patches Fifth Actively Exploited Chrome Zero-Day of 2025

Google has released security patches to address multiple Chrome vulnerabilities, including one flaw that has been actively exploited in the wild. The latest vulnerability, CVE-2025-6554, marks the fifth Chrome zero-day patched by Google this year, and it has already seen exploitation.

A New Vulnerability Exposed: CVE-2025-6558

Google's Threat Analysis Group (TAG) reported a new vulnerability, CVE-2025-6558, which affects the ANGLE and GPU components of Chrome. The vulnerability is due to improper validation of untrusted input, and it has a CVSS score of 8.8. This makes it a highly critical issue that could allow attackers to execute arbitrary code.

Exploitation in the Wild

According to Google's advisory published on June 23, 2025, an exploit for CVE-2025-6558 already exists in the wild. This suggests that nation-state actors or commercial spyware vendors have been using this vulnerability to gain unauthorized access to systems.

A Type Confusion Vulnerability

CVE-2025-6554 is a type confusion vulnerability, which occurs when a program mistakenly treats a piece of data as a different type than it actually is. This mismatch can cause memory corruption, crashes, or allow an attacker to execute arbitrary code.

Discovery and Patch Release

Clement Lecigne of Google's TAG discovered the vulnerability on June 25, 2025. A configuration change was pushed out to Stable channel across all platforms to mitigate this issue on June 26, 2025. However, an exploit for CVE-2025-6554 still exists in the wild.

Other Fixed Vulnerabilities

Google has released security patches for six Chrome vulnerabilities, includingCVE-2025-6558 and CVE-2025-6554. Other fixed vulnerabilities include:

  • CVE-2025-6557: A type confusion vulnerability in the V8 JavaScript engine.
  • CVE-2025-6556: A buffer overflow vulnerability in the WebAssembly engine.
  • CVE-2025-6555: A sandbox escape vulnerability in the Blink rendering engine.

Conclusion

The discovery and exploitation of this new Chrome zero-day highlights the ongoing threat landscape in the tech industry. It is essential for users to stay up-to-date with the latest security patches and maintain robust cybersecurity measures to protect themselves from such vulnerabilities.