Google has pushed an emergency update to the widely used Chrome browser after identifying an actively exploited zero-day vulnerability in the product, the fourth found so far in 2025.
Tracked as CVE-2025-6554, it is described as a type confusion flaw in the Google-developed V8 JavaScript engine that compiles and executes JavaScript code in Chromium-based browsers.
It was identified by the Google Threat Analysis Group’s (TAG’s) Clément Lecigne on 25 June, and fixed the following day by a configuration change that has by now been pushed out to the stable channel on all platforms.
Left unchecked, the US National Vulnerability Database (NVD) – which is operated by the National Institute for Standards and Technology (NIST) – said the high-severity vulnerability could have allowed remote attackers to perform arbitrary read or write actions via a specially crafted HTML page.
In layman’s terms, this means vulnerable Chrome users lured into visiting an attacker-controlled website may be exposed to attacks in which threat actors install malware, including spyware, on their devices, or take other malicious actions such as bypassing security restrictions to conduct deeper lateral movement in their environment or accessing and stealing confidential data.
“Google is aware that an exploit for CVE-2025-6554 exists in the wild,” Google said in its update notice.
However, given the update may take a while to filter down to all Chrome users, Google provided no further technical details of the issue beyond the fact an exploit appears to be being used in cyber attacks. Note that the Google TAG frequently monitors and reports on state-backed cyber activity, but this is not necessarily an indicator of attribution to any such threat nexus.
Chrome users can check whether or not their browser is up to date by navigating to the Help menu via the three-dot icon in the top right corner of their browser window, and then clicking through to About Google Chrome. In most cases, doing so should automatically trigger the update if it has not yet been applied.
What are type confusion bugs?
A type confusion vulnerability arises when a program makes an inaccurate assumption about the type of an object resource and tries to access or use it as if it were the assumed type. This throws up errors and undesirable behaviours such as crashes, data corruption and incorrect memory access, or in this instance, enabling arbitrary code execution.
Attackers can take advantage of these conditions by writing specific JavaScript code to trigger incorrect type assumptions within V8.
These bugs tend to pop up in C and C++ coding languages – Chrome and V8 are both written in C++ – that make do with memory safety mechanisms, but according to SOCRadar, have been seen in PHP and Perl code as well.
Besides web browsers such as Chrome, Firefox or Safari, they can also occur in PDF readers, other JavaScript engines besides V8, or operating system components.
Developers can avoid introducing type confusion flaws into their software by conducting appropriate type checking at compile and runtime, using memory-safe languages if possible, implementing runtime type verification checks, conducting code reviews that focus on type casting, and using static analysis tools to detect potential issues down the line.
