Google has launched emergency updates to patch one other Chrome zero-day vulnerability exploited in assaults, marking the fourth such flaw mounted because the begin of the yr.
“Google is conscious that an exploit for CVE-2025-6554 exists within the wild,” the browser vendor mentioned in a safety advisoryissued on Monday. “This subject was mitigated on 2025-06-26 by a configuration change pushed out to Steady channel throughout all platforms.”
The corporate mounted the zero-day for customers within the Steady Desktop channel, with new variations rolling out worldwide to Home windows (138.0.7204.96/.97), Mac (138.0.7204.92/.93), and Linux customers (138.0.7204.96) sooner or later after the difficulty was reported to Google.
The bug was found by Clément Lecigne of Google’s Risk Evaluation Group (TAG), a collective of safety researchers targeted on defending Google prospects from state-sponsored and different related assaults.
Google TAG ceaselessly discovers zero-day exploits deployed by government-sponsored menace actors in focused assaults to contaminate high-risk people, together with opposition politicians, dissidents, and journalists, with spy ware.
Though the safety updates patching CVE-2025-6554 might take days or even weeks to succeed in all customers, in accordance with Google, they had been instantly accessible when BleepingComputer checked for updates earlier right this moment.
Customers preferring to not replace manually also can depend on their net browser to routinely examine for brand new updates and set up them after the subsequent launch.
The zero-day bug mounted right this moment is a high-severity kind confusion weak point within the Chrome V8 JavaScript engine. Whereas such flaws usually result in browser crashes after profitable exploitation by studying or writing reminiscence out of buffer bounds, attackers also can exploit them to execute arbitrary code on unpatched units.
Despite the fact that Google acknowledged that this vulnerability was exploited within the wild, the corporate has but to share technical particulars or extra info relating to these assaults.
“Entry to bug particulars and hyperlinks could also be stored restricted till a majority of customers are up to date with a repair. We may even retain restrictions if the bug exists in a 3rd celebration library that different initiatives equally rely upon, however have not but mounted,” Google mentioned.
That is the fourth actively exploited Google Chrome zero-day mounted because the begin of the yr, with three extra patched in March, Could, and June.
The primary, a high-severity sandbox escape flaw (CVE-2025-2783) reported by Kaspersky’s Boris Larin and Igor Kuznetsov, was used in espionage assaults concentrating on Russian authorities organizations and media retailers with malware.
Google launched one other set of emergency safety updates in Could to deal with a Chrome zero-day (CVE-2025-4664) that may permit attackers to hijack accounts. One month later, the corporate addressed an out-of-bounds learn and write weak point in Chrome’s V8 JavaScript engine found by Google TAG’s Benoît Sevens and Clément Lecigne.
In 2024, Google patched a complete of 10 zero-day vulnerabilities that had been both exploited in assaults or demoed throughout Pwn2Own hacking competitions.
Whereas cloud assaults could also be rising extra subtle, attackers nonetheless succeed with surprisingly easy strategies.
Drawing from Wiz’s detections throughout hundreds of organizations, this report reveals 8 key strategies utilized by cloud-fluent menace actors.
