Google Releases Emergency Fix For Chrome Zero-Day Flaw – Users Should Update Now

Google has issued an emergency update for its Chrome browser to patch a serious security vulnerability that hackers are already exploiting in real-world attacks.

The flaw, identified as CVE-2025-6554, is a “type confusion” issue in Chrome’s V8 JavaScript engine, which powers the way the browser processes web content, and it has been rated as “high” severity. The bug was discovered on June 25, 2025 and reported by Clément Lecigne from Google’s Threat Analysis Group (TAG).

“Google is aware that an exploit for CVE-2025-6554 exists in the wild,” the company wrote in a security advisory. This vulnerability could allow attackers to manipulate Chrome’s memory by enticing users to visit malicious websites. According to the National Vulnerability Database, this means a remote attacker could “perform arbitrary read/write via a crafted HTML page.”

Security researchers warn that these types of flaws are frequently leveraged to plant spyware or execute malicious code covertly, especially in targeted intrusions. Given that TAG was the group that uncovered this exploit, it raises concerns that the flaw may have been part of an advanced attack, possibly orchestrated by government-backed hackers.

Featured Partners

Advertisement

TechRepublic is able to offer our services for free because some vendors may pay us for web traffic or other sales opportunities. Our mission is to help technology buyers make better purchasing decisions, so we provide you with information for all vendors — even those that don’t pay us.

1 Semperis

Visit Website

Company Size

Employees per Company Size

Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+)

Small (50-249 Employees), Medium (250-999 Employees), Large (1,000-4,999 Employees), Enterprise (5,000+ Employees) Small, Medium, Large, Enterprise

Features

Advanced Attacks Detection, Advanced Automation, Anywhere Recovery, and more

2 ESET PROTECT Advanced

Visit Website

Company Size

Employees per Company Size

Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+)

Any Company Size Any Company Size

Features

Activity Monitoring, Antivirus, Blacklisting, and more

3 ManageEngine Log360

Visit Website

Company Size

Employees per Company Size

Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+)

Micro (0-49 Employees), Small (50-249 Employees), Medium (250-999 Employees), Large (1,000-4,999 Employees), Enterprise (5,000+ Employees) Micro, Small, Medium, Large, Enterprise

Features

Activity Monitoring, Blacklisting, Dashboard, and more

What you should do now

To protect against this threat, Google advises all Chrome users to update their browsers immediately. The patched versions are 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for Mac, and 138.0.7204.96 for Linux.

Users can confirm their version and start the update process manually by clicking the three-dot menu in the top-right corner of Chrome, navigating to Settings, then About Chrome. If an update is available, Chrome will download it automatically. After restarting the browser, the patch will be applied. Anyone using Chromium-based browsers like Edge, Brave, and Opera should also watch for updates and apply them as soon as they are released.

Chrome’s total number of zero-days in 2025

This latest incident marks the fourth actively exploited zero-day vulnerability fixed in Chrome this year. It follows three other security flaws: CVE-2025-2783 disclosed in March, CVE-2025-4664 patched in May, and CVE-2025-5419 addressed in June. Each of these vulnerabilities were considered critical and patched through emergency updates.

Read our comprehensive details about how to protect against cyber threats – before they hit.