Google has patched another urgent security flaw in Chrome - so update now or be at risk

News
By published

The Chrome security flaw is already being abused

Google Chrome app is seen on an iPhone next to Edge and other web browser apps. Microsoft is using new prompts in Edge to try and stop users from downloading Chrome.
(Image credit: Tada Images / Shutterstock)
  • Google's TAG team finds high-severity bug in Chrome V8
  • The bug allows threat actors to run arbitrary code on endpoints
  • It is being actively exploited, so users should patch now

Google has fixed a high-severity Chrome vulnerability which was allegedly being exploited in the wild, possibly by nation-state threat actors.

In a new security bulletin, Google said it addressed a type confusion issue in Chrome V8, tracked as CVE-2025-6554, which allowed threat actors to perform arbitrary read/write operations, potentially giving way to sensitive data theft, token exfiltration, or even malware and ransomware deployment.

The V8 engine is Google’s open source high-performance JavaScript and WebAssembly engine used in Chrome and other Chromium-based browsers to execute web code efficiently. The bug caused V8 to incorrectly interpret data, leading to unintended behavior. In theory, a threat actor could serve a specially crafted HTML page to a target, which could trigger the RCE.

Get 55% off Incogni's Data Removal service with code TECHRADAR

Get 55% off Incogni's Data Removal service with code TECHRADAR

Wipe your personal data off the internet with the Incogni data removal service. Stop identity thieves
and protect your privacy from unwanted spam and scam calls.

View Deal

Nation-states and other adversaries

The bug was given a severity score of 8.1/10 - high, and was addressed in versions 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for macOS, and 138.0.7204.96 for Linux, on June 26.

In the advisory, Google confirmed the bug was being actively abused, but decided not to share any details until the majority of the browsers are patched. Usually, Chrome automatically installs the patches, but just in case, you might want to head over to chrome://settings/help and allow Chrome to look for updates.

While Google kept the details under wraps, knowing who blew the whistle tells us a little more about potential abusers. The bug was discovered by Clément Lecigne of Google’s Threat Analysis Group (TAG), a cybersecurity arm that usually investigates nation-state threat actors.

If TAG was looking into this bug, and we know it’s abused in the wild, then it’s safe to assume that it was used by nation-states in highly targeted attacks. Previous V8 flaws have been abused in campaigns against high-profile targets in the past, including journalists, dissidents, IT admins, and similar people.

Via Infosecurity Magazine

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.