Google fixes fourth actively exploited Chrome zero-day of 2025

Google has released emergency updates to patch another Chrome zero-day vulnerability exploited in attacks, marking the fourth such flaw fixed since the start of the year.

“Google is aware that an exploit for CVE-2025-6554 exists in the wild,” the browser vendor said in a security advisoryissued on Monday. “This issue was mitigated on 2025-06-26 by a configuration change pushed out to Stable channel across all platforms.”

The company fixed the zero-day for users in the Stable Desktop channel, with new versions rolling out worldwide to Windows (138.0.7204.96/.97), Mac (138.0.7204.92/.93), and Linux users (138.0.7204.96) one day after the issue was reported to Google.

​​​The bug was discovered by Clément Lecigne of Google’s Threat Analysis Group (TAG), a collective of security researchers focused on defending Google customers from state-sponsored and other similar attacks.

Google TAG frequently discovers zero-day exploits deployed by government-sponsored threat actors in targeted attacks to infect high-risk individuals, including opposition politicians, dissidents, and journalists, with spyware.

Although the security updates patching CVE-2025-6554 could take days or weeks to reach all users, according to Google, they were immediately available when BleepingComputer checked for updates earlier today.

Users who prefer not to update manually can also rely on their web browser to automatically check for new updates and install them after the next launch.

The zero-day bug fixed today is a high-severity type confusion weakness in the Chrome V8 JavaScript engine. While such flaws generally lead to browser crashes after successful exploitation by reading or writing memory out of buffer bounds, attackers can also exploit them to execute arbitrary code on unpatched devices.

Even though Google stated that this vulnerability was exploited in the wild, the company has yet to share technical details or additional information regarding these attacks.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” Google said.

This is the fourth actively exploited Google Chrome zero-day fixed since the start of the year, with three more patched in March, May, and June.

The first, a high-severity sandbox escape flaw (CVE-2025-2783) reported by Kaspersky’s Boris Larin and Igor Kuznetsov, was used in espionage attacks targeting Russian government organizations and media outlets with malware.

Google released another set of emergency security updates in May to address a Chrome zero-day (CVE-2025-4664) that can allow attackers to hijack accounts. One month later, the company addressed an out-of-bounds read and write weakness in Chrome’s V8 JavaScript engine discovered by Google TAG’s Benoît Sevens and Clément Lecigne.

In 2024, Google patched a total of 10 zero-day vulnerabilities that were either exploited in attacks or demoed during Pwn2Own hacking competitions.