Google rushes out fix for active Chrome zero-day
CVE-2025-6554 – a critical vulnerability in Chrome’s V8 engine – is being exploited right now, so Google has released an out-of-band patch.
What happened?
• A type-confusion bug lets an attacker craft a web page that reads or writes arbitrary memory, paving the way for full code execution.
• Google’s Threat Analysis Group spotted the flaw in targeted attacks on 25 June and flagged it as a zero-day.
• It is the fourth Chrome zero-day of 2025, underlining how attractive the browser has become to threat actors.
Who is at risk?
Anyone running Chrome on Windows, macOS or Linux – and users of other Chromium-based browsers – could be hit simply by visiting a booby-trapped site.
How to protect yourself
1. Update Chrome now: Settings → Help → About Google Chrome. You need version 138.0.7204.96/97 (Win), .92/.93 (Mac) or .96 (Linux).
2. Enable automatic updates across all managed endpoints.
3. Monitor for out-of-band releases from Microsoft Edge, Brave, Opera, Vivaldi and other Chromium forks.
Why it matters
Zero-days are typically deployed in highly targeted espionage campaigns before the wider criminal ecosystem catches on. Patching promptly keeps you ahead of the curve and stops drive-by compromise in its tracks