Google has issued an urgent security update for Chrome to tackle a newly discovered zero-day vulnerability affecting Windows and Mac users globally. This marks the fourth such vulnerability addressed by Google in 2025. The flaw, identified as CVE-2025-6554, is a high-severity “type confusion” issue within Chrome’s V8 JavaScript and WebAssembly engine. This type of vulnerability can lead to arbitrary read/write operations and potentially full remote code execution, posing significant security risks.
A security researcher from Google’s Threat Analysis Group identified the bug, which has been actively exploited. The vulnerability affects Chrome versions prior to 138.0.7204.96, allowing attackers to execute malicious code or crash the browser. Google implemented a temporary server-side fix and has now released a full patch for Windows, Mac, and Linux users.
Details about the exploitation and the threat actors remain undisclosed, but users are strongly advised to update their browsers to the latest version to mitigate risks. Chrome’s auto-update feature will apply the fix automatically, but users can also manually update via the settings menu. This incident follows three other zero-day vulnerabilities patched earlier in 2025, highlighting ongoing security challenges for the browser.
