Google has released an emergency update for its Chrome browser to fix a high-severity zero-day vulnerability that is being actively exploited in the wild. The flaw, tracked as CVE-2025-6554, is a type confusion issue in Chrome’s V8 JavaScript engine. The vulnerability was discovered by Clément Lecigne of Google’s Threat Analysis Group (TAG) on June 25, 2025.
TAG focuses on identifying advanced threats, often from government-backed attackers. “Google is aware that an exploit for CVE-2025-6554 exists in the wild,” the company stated. The flaw could allow remote attackers to manipulate Chrome’s memory and execute arbitrary code by luring users to malicious websites.
To address the threat, Google has released patched versions of Chrome: 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for Mac, and 138.0.7204.96 for Linux.
Emergency Chrome update fixes vulnerability
Users are advised to update their browsers immediately.
Chrome users can check their version and initiate the update process manually by clicking the three-dot menu in the top-right corner, going to Settings, then About Chrome. If an update is available, Chrome will download it automatically. The patch will be applied after restarting the browser.
Users of other Chromium-based browsers like Edge, Brave, and Opera should also watch for updates and apply them as soon as they are released. This marks the fourth actively exploited zero-day vulnerability fixed in Chrome this year, following CVE-2025-2783 in March, CVE-2025-4664 in May, and CVE-2025-5419 in June. Each of these flaws was considered critical and patched through emergency updates.
Google has not disclosed further details about the vulnerability or the extent of its exploitation, but the involvement of TAG suggests it may have been used in targeted attacks by sophisticated threat actors.
