Post

Google Patches Fifth Actively Exploited Chrome Zero-Day in 2025: CVE-2025-6554

Posted
By Vitus White
2 min read
Google Patches Fifth Actively Exploited Chrome Zero-Day in 2025: CVE-2025-6554

TL;DR

Google has released patches for multiple Chrome vulnerabilities, including CVE-2025-6554, the fifth zero-day exploit addressed this year. This vulnerability, actively exploited in the wild, highlights the ongoing security challenges faced by Chrome users.

Introduction

Google has recently addressed multiple security vulnerabilities in Chrome, including a critical zero-day exploit. This marks the fifth actively exploited zero-day patched by Google in 2025, underscoring the ongoing efforts to safeguard Chrome users against evolving cyber threats.

CVE-2025-6554: The Latest Zero-Day Exploit

The most recent vulnerability, tracked as CVE-2025-6554, is a type confusion issue within the V8 JavaScript and WebAssembly engine. This flaw was mitigated through a configuration change pushed to the Stable channel across all platforms on June 26, 2025. Google’s Threat Analysis Group (TAG) discovered the exploit, which was actively used in the wild1.

A type confusion vulnerability occurs when a program incorrectly treats data as a different type, leading to memory corruption, crashes, or arbitrary code execution. Clément Lecigne of Google’s TAG reported this vulnerability on June 25, 2025.

Previous Zero-Day Exploits in 2025

CVE-2025-6554 is the fifth zero-day vulnerability patched by Google this year. Earlier in 2025, Google addressed the following zero-day exploits:

  • CVE-2025-5419: An out-of-bounds read and write flaw in the V8 JavaScript engine, actively exploited in the wild. This vulnerability could lead to heap corruption via crafted HTML pages2.

  • CVE-2025-4664: A Chrome browser vulnerability that could result in full account takeover. Google confirmed that an exploit for this vulnerability exists in the wild3.

  • CVE-2025-2783: An incorrect handle provided in unspecified circumstances in Mojo on Windows. This high-severity flaw was actively exploited in attacks targeting organizations in Russia. Kaspersky researchers Boris Larin and Igor Kuznetsov reported this vulnerability4.

Additional Vulnerabilities Addressed

In addition to the zero-day exploits, Google fixed several other high-severity vulnerabilities:

  • CVE-2025-7656: An integer overflow in V8, reported by Shaheen Fazim on June 17, 20255.

  • CVE-2025-7657: A use-after-free vulnerability in WebRTC, reported by jakebiles on June 25, 20256.

Conclusion

Google’s continuous efforts to patch actively exploited vulnerabilities highlight the importance of regular updates and vigilant threat monitoring. Users are advised to keep their browsers up-to-date to mitigate potential risks. As cyber threats evolve, so must the defensive measures to protect users from zero-day exploits.

References

  1. Stable Channel Update for Desktop. Google Chrome Releases. Retrieved 2025-07-16. ↩︎

  2. Google Fixed the Second Actively Exploited Chrome Zero-Day Since the Start of the Year. Security Affairs. Retrieved 2025-07-16. ↩︎

  3. Google Fixed a Chrome Vulnerability That Could Lead to Full Account Takeover. Security Affairs. Retrieved 2025-07-16. ↩︎

  4. Google Fixed First Chrome Zero-Day in 2025. Security Affairs. Retrieved 2025-07-16. ↩︎

  5. Issue 425583995. Chromium Issues. Retrieved 2025-07-16. ↩︎

  6. Issue 427681143. Chromium Issues. Retrieved 2025-07-16. ↩︎

Cybersecurity & Data Protection, Vulnerabilities
cybersecurity zero-day google
This post is licensed under CC BY 4.0 by the author.