Particle.news

Download on the App Store

Chrome Patch Thwarts Active V8 Zero-Day as CISA Mandates Federal Updates

The vulnerability allowed remote code execution through a type-confusion bug in Chrome’s JavaScript engine, enabling attackers to steal data or install malware.

Image
Image

Overview

  • Google released Chrome 138 on Windows, macOS and Linux to fix CVE-2025-6554, a high-severity type-confusion flaw in the V8 engine.
  • Google confirmed that attackers have exploited CVE-2025-6554 in the wild, marking the fourth actively exploited zero-day in Chrome this year.
  • Clément Lecigne of Google’s Threat Analysis Group discovered the vulnerability on June 25.
  • CISA has ordered federal employees to update or discontinue use of Chrome, Edge and other Chromium-based browsers by July 23.
  • The security response follows emergency server-side mitigations deployed on June 3 and multiple out-of-cycle patches addressing V8 and WebRTC flaws since late 2023.