Google released an emergency security update for Chrome on Monday to address a zeroday actively exploited vulnerability that was affecting Windows and Mac users worldwide. This is the fourth Chrome zero-day fixed since early 2025.

The zero-day vulnerability, tracked as CVE-2025-6554, has been described as a high-severity “type confusion” bug vulnerability in Chrome’s V8 JavaScript and WebAssembly engine.

Clement Lecigne, a security researcher from Google’s Threat Analysis Group (TAG), who flagged the zero-day vulnerability on June 25, 2025, has been credited for discovering and reporting it. TAG is known for uncovering sophisticated attacks linked to nation-state actors.

What’s The Vulnerability?

Type confusion flaws in V8, Chrome’s JavaScript engine, occur when the browser gets confused about the type of data it’s handling. It can cause Chrome to misinterpret memory, opening the door to arbitrary read/write and, in some cases, full remote code execution (RCE).

This mistake can allow hackers to access parts of memory they shouldn’t, which may let them run harmful code or crash the browser.

“Google is aware that an exploit for CVE-2025-6554 exists in the wild,” the tech giant said in a security advisory issued on Monday.

According to the National Vulnerability Database (NVD), this flaw impacts Chrome versions earlier than 138.0.7204.96 and may allow attackers to run malicious code or cause the application to crash.

Mitigation Measures

Google deployed a temporary mitigation on the server-side on June 26, 2025, via Chrome’s stable channel to fix the zero-day vulnerability. The company has rolled out a full patch for Chrome users in the Stable Desktop channel: Windows (138.0.7204.96/.97), Mac (138.0.7204.92/.93), and Linux users (138.0.7204.96).

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” Google said.

Google has yet to disclose details about the exploitation or the threat actors behind the attacks. Since the flaw is being actively exploited in the wild, it is strongly recommended that users apply the security patch as soon as possible to protect their devices and themselves from significant security risks.

While Chrome’s auto-update will eventually install the fix, you can also manually update Chrome by going to Settings > Help > About Google Chrome.

Why Is This The Fourth?

 The previously patched zero-days in Chrome during 2025 include CVE20252783 (March): Incorrect handle provided in unspecified circumstances in Mojo on Windows; CVE20254664 (May): Insufficient policy enforcement in Loader; and CVE20255419 (June): Out of bounds read and write in V8.

With CVE20256554 now patched, this marks the fourth active zero-day exploit addressed in just seven months.