Critical Zero-Day Vulnerability in Google Chrome (CVE-2025-6554)

Overview

• CVE: CVE-2025-6554

• Severity: CRITICAL

• Score: 10.0

• Date: 3 July 2025

A critical zero-day vulnerability, CVE-2025-6554, has been identified and patched in Google Chrome. The flaw is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine. Successful exploitation allows a remote attacker to perform arbitrary read/write operations via a crafted HTML page. This vulnerability is currently being exploited in the wild, with evidence suggesting use in highly targeted attacks, potentially by nation-state actors or for surveillance purposes.

Affected Versions

All versions prior to:

• Windows: 138.0.7204.96/.97

• macOS: 138.0.7204.92/.93

• Linux: 138.0.7204.96

• Other Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi) may also be affected and should be updated as patches become available

Mitigation

• Update Chrome to the latest versions:

  • Windows/Linux: 138.0.7204.96 or newer

  • macOS: 138.0.7204.92 or newer

• Monitor for vendor updates for other Chromium-based browsers and apply patches promptly.

Summary for IT Teams

Products: Google Chrome, Chromium-based browsers

Threat Level: Critical

Action:

• Deploy latest Chrome updates immediately

• Ensure enterprise-controlled browsers are patched

• Educate users on avoiding suspicious links and sites

References

• The Hacker News

• CVE