Google has released an urgent update for Chrome due to a new vulnerability that hackers have already exploited
The company fixed the fourth zero-day vulnerability in 2025. This time it was a dangerous Type Confusion bug in the V8 JavaScript engine.
The company fixed the fourth zero-day vulnerability in 2025. This time it was a dangerous Type Confusion bug in the V8 JavaScript engine.
Google has urgently updated its Chrome browser to close a critical vulnerability, CVE-2025-6554, which was already being actively exploited by attackers. According to Infosecurity Magazine, the bug allowed arbitrary code execution after a user navigated to a specially crafted web page.
What is a zero-day vulnerability?
This is a previously unknown software bug that the vendor has not yet had time to fix, and hackers can already use for attacks.
The name comes from the fact that the developer has «zero days» to react, because the vulnerability is either not yet known or known only to a narrow circle of specialists. Such vulnerabilities are considered especially dangerous because antiviruses and security systems usually do not have time to detect or block them at an early stage.
The vulnerability was discovered on June 25 by Clement Lesin of Google’s Threat Analysis Group (TAG), a unit that specializes in tracking targeted cyberattacks, often by state-sponsored hacking groups. The issue was found in V8, the JavaScript and WebAssembly engine used in Chrome. The attack allowed reading or writing outside of the permitted memory area due to a type confusion error.
The very next day, June 26, Google released an update to the Chrome stable channel for all platforms:
- Windows: versions 138.0.7204.96/.97
- macOS: versions 138.0.7204.92/.93
- Linux: version 138.0.7204.96
Typical scenarios for exploiting such vulnerabilities include remote access, data theft, or spyware installation. While Google does not disclose who exactly was targeted, TAG’s involvement could indicate attempts to spy on journalists, political activists, or other «high-risk» users.
Users are advised to check for updates manually in Settings > Help > About Chrome. Other Chromium-based browsers should also receive updates: Edge, Brave, Opera, Vivaldi.
This is the fourth zero-day vulnerability that Google has fixed this year. The company has previously patched critical vulnerabilities related to memory overflow and sandbox bypass. One of them was linked to a cyberespionage campaign against institutions in Russia. The company urges IT departments to enable automatic browser updates for all devices and to constantly monitor for new patches.
Recall that we also published an article about how Google urged users to immediately update the Chrome browser due to a high vulnerability that allows remote attackers to steal confidential data from other sites.
OpenAI is interested in buying Chrome if Google is forced to sell its web browser
OpenAI is interested in buying Chrome if Google is forced to sell its web browser
Over 30 extensions in Google Chrome were found to be infected with malicious code for data theft. How to stay safe and what to do?
Over 30 extensions in Google Chrome were found to be infected with malicious code for data theft. How to stay safe and what to do?
Chrome will get new AI-powered features, including a writing assistant and tab organizer
Chrome will get new AI-powered features, including a writing assistant and tab organizer
Read the country’s main IT news in our Telegram
Read the country’s main IT news in our Telegram
