BURSTGoogle has issued an urgent security update for Chrome browser users worldwide, addressing a critical zero-day vulnerability that is actively being exploited by cybercriminals.
The high-severity flaw, designated CVE-2025-6554, allows attackers to execute arbitrary code on affected systems through a type confusion vulnerability in Chrome’s V8 JavaScript engine.
Key Points
1. CVE-2025-6554, a high-severity type confusion in Chrome’s V8 engine, allows arbitrary code execution and is actively exploited.
2. Chrome updated to 138.0.7204.96/.97 (Windows), 138.0.7204.92/.93 (Mac), and 138.0.7204.96 (Linux) to fix the issue.
3. Google confirms cybercriminals are exploiting this vulnerability in the wild.
4. A mitigation was applied on June 26, 2025, but the full patch requires the latest update.
5. Update Chrome via Settings > About Chrome immediately to secure your system.
The stable channel update brings Chrome to version 138.0.7204.96/.97 for Windows users, 138.0.7204.92/.93 for Mac systems, and 138.0.7204.96 for Linux platforms. The rollout is occurring gradually over the coming days and weeks to ensure system stability across Google’s massive user base.
This emergency patch represents a swift response to a vulnerability that poses immediate risks to users’ digital security.
The type confusion flaw in V8, Chrome’s JavaScript and WebAssembly engine, creates opportunities for malicious actors to manipulate memory allocation and potentially gain unauthorized access to system resources.
The vulnerability was discovered and reported by Clément Lecigne, a security researcher from Google’s elite Threat Analysis Group, on June 25, 2025. This internal discovery highlights the ongoing security monitoring efforts within Google’s infrastructure.
Recognizing the severity and active exploitation of the flaw, Google implemented an immediate mitigation measure on June 26, 2025, through a configuration change pushed to all stable channel users across all platforms.
However, this temporary mitigation serves only as a stopgap measure. The comprehensive fix requires users to update their browsers to the latest version to ensure complete protection against potential attacks.
Active Exploitation Confirmed
Google’s security team has confirmed that exploits targeting CVE-2025-6554 are circulating in the wild, making this update particularly urgent.
The company’s acknowledgment of active exploitation indicates that cybercriminals have already weaponized this vulnerability, potentially targeting unsuspecting users through malicious websites or compromised web applications.
Type confusion vulnerabilities are particularly dangerous because they can lead to memory corruption, allowing attackers to execute arbitrary code with the same privileges as the browser process. This could potentially lead to system compromise, data theft, or the installation of malware.
Chrome users should immediately check their browser version by navigating to Settings > About Chrome, which will automatically trigger an update check. The browser will download and install the security patch automatically, requiring only a browser restart to complete the process.
Organizations using Chrome in enterprise environments should prioritize this update across their networks. The combination of confirmed active exploitation and the high-severity rating makes this patch deployment critical for maintaining organizational cybersecurity posture.
Google continues to leverage advanced security technologies, including AddressSanitizer, MemorySanitizer, and libFuzzer, to detect and prevent similar vulnerabilities from reaching production releases.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
The post Chrome 0-Day Vulnerability Exploited in the Wild to Execute Arbitrary Code – Patch Now appeared first on Cyber Security News.