Google has released security updates to patch a zero-day vulnerability (CVE-2025-6554) in its Chrome browser that is being actively exploited. The flaw is described as a type confusion issue in the V8 JavaScript and WebAssembly engine, which allows remote attackers to perform arbitrary read and write operations via a crafted HTML page. Type confusion vulnerabilities are critical because they can lead to arbitrary code execution or program crashes.

The exploit for this vulnerability was discovered by researcher on June 25, 2025, suggesting it may have been used in targeted attacks potentially involving nation-state actors or surveillance campaigns. TAG’s involvement often indicates the exploitation of such flaws in serious cyber-espionage or targeted attack scenarios.

Google mitigated the issue the next day through a configuration change deployed to the Stable channel across all platforms, reducing immediate widespread risk. However, it remains urgent for users to apply updates, especially those handling sensitive or high-value data.

The patched versions are:

• Windows: 138.0.7204.96/.97
• macOS: 138.0.7204.92/.93
• Linux: 138.0.7204.96

Users can check their update status by navigating to Settings > Help > About Google Chrome to trigger automatic updates if needed. Businesses and IT teams are advised to ensure automatic patch management and monitor browser version compliance across endpoints.

CVE-2025-6554 is the fourth zero-day vulnerability in Chrome addressed by Google this year, following CVE-2025-2783, CVE-2025-4664, and CVE-2025-5419. Google has not disclosed detailed information about the exploit or its targets to prevent further abuse.

Users of Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply security updates as soon as they become available to safeguard against potential attacks leveraging this vulnerability.