Hackers are already exploiting a new security vulnerability in Google Chrome. This zero-day vulnerability affects the browser’s V8 JavaScript engine and could allow attackers to run code on your device simply by visiting a malicious website.
Known as CVE-2025-6554, the flaw is a type confusion error. It allows a remote attacker to perform arbitrary read and write operations through a crafted HTML page. Anyone using Chrome versions older than 138.0.7204.96 may be at risk.
Google’s internal Threat Analysis Group, led by Clément Lecigne, found this issue on June 25. Less than a week later, Google released a stable update to address the problem. The patched versions are 138.0.7204.96 and .97 for Windows, 138.0.7204.92 and .93 for Mac, and 138.0.7204.92 for Linux. If your browser is up to date, you should be safer now.
Interestingly, this type of JavaScript engine error has caused several zero-day vulnerabilities in Chrome alone in 2024. Reports show that about half of the ten zero-days tracked this year involved V8 type confusion bugs. It’s a recurring weak spot that Google has to keep fixing.