Google on Monday announced a fresh Chrome update that resolves a high-severity vulnerability for which an exploit exists in the wild.
Tracked as CVE-2025-6554, the bug is described as a type confusion in the open source V8 JavaScript and WebAssembly engine.
A strain of memory safety bugs, type confusion issues can be exploited to trigger unexpected software behavior, leading to crashes, remote code execution, and other types of attacks.
Successful exploitation of the new Chrome security defect could allow remote attackers to perform arbitrary read/write operations using crafted HTML pages, a NIST advisory reads.
“Google is aware that an exploit for CVE-2025-6554 exists in the wild,” the internet giant notes in its advisory.
Google also notes that the vulnerability was reported on June 25 and that mitigations were rolled out the next day.
“This issue was mitigated on 2025-06-26 by a configuration change pushed out to Stable channel across all platforms,” the company said.
While Google has not provided details on the CVE or the observed exploit, its phrasing and the rushed fixes suggest that the bug has been exploited in the wild.
Furthermore, the internet giant credited Clement Lecigne of Google Threat Analysis Group (TAG) for reporting the issue. TAG researchers have uncovered multiple flaws exploited by commercial spyware vendors, including such security defects in the Chrome browser.
The latest Chrome iteration is now rolling out as versions 138.0.7204.96/.97 for Windows, versions 138.0.7204.92/.93 for macOS, and version 138.0.7204.96 for Linux. Users are advised to update their browsers as soon as possible.
This is the fourth Chrome vulnerability documented this year for which Google mentions the existence of an exploit, after CVE-2025-2783, CVE-2025-4664, and CVE-2025-5419.
Related: Chrome 138, Firefox 140 Patch Multiple Vulnerabilities
Related: Chrome 137 Update Patches High-Severity Vulnerabilities
Related: Chrome, Firefox Updates Resolve High-Severity Memory Bugs
