Fresh zero-day vulnerability in Chrome found to be actively exploited by hackers in the wild

News
By published

And you're not necessarily safe if you don't use Chrome either.

BERLIN, GERMANY - APRIL 22: The logo of the webbrowser Google Chrome is shown on the display of a smartphone on April 22, 2020 in Berlin, Germany.
(Image credit: Getty Images. Thomas Trutschel/Photothek)

When was the last time you updated your web browser? Are your palms sweaty? Knees weak, arms heavy, mom's spaghetti? Well, as the saying goes the best time to plant a tree/update your web browser/begin your illustrious rap career was probably long before today but the next best time is right now—and it's just as well as the National Vulnerability Database has just catalogued a zero-day flaw in Chrome.

CVE-2025-6554 is essentially a type confusion error in the V8 Javascript engine. This flaw has been spotted in the wild, and as the NVD entry explains, has been leveraged to allow "a remote attacker to perform arbitrary read/write via a crafted HTML page." Basically, if you're using a version of Chrome older than 138.0.7204.96, simply visiting a dodgy website could allow a hacker to execute code on your device.

This vulnerability was flagged to Google by Clément Lecigne of the company's internal Threat Analysis Group on June 25, leading to a speedy stable channel update less than a week later. If you're on either version 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for Mac or 138.0.7204.92 for Linux, the vulnerability should no longer be as pressing an issue.

I say 'as pressing' because this Javascript error has been the root of a number of zero-day vulnerabilities in the past as well. For instance, of the ten zero-day vulnerabilities Bleeping Computer counted in 2024 alone, a V8 type confusion error played a role in about half of them. It's very much a known issue.

Chrome usually updates automatically whenever it detects a new version is available. However, it also can't hurt to peek behind the three dots, check under 'Help,' and then look in 'About Google Chrome' just to ensure you're all up to date. That said, it's not just Google Chrome that could be affected by this security flaw.

Chromium-based browsers, such as Microsoft Edge, DuckDuckGo, and Opera, may also share this vulnerability. DeGoogling like PewDiePie is all well and good, but it's a company with its AI-generated, too-many-fingers in many different pies. So, I'm going to ask you once more—when was the last time you updated your web browser?

HP OMEN 35L
Best gaming PC 2025

👉Check out our full guide👈

1. Best overall: HP Omen 35L

2. Best budget: Lenovo Legion Tower 5i

3. Best compact: Velocity Micro Raptor ES40

4. Alienware: Alienware Aurora

5. Best mini PC: Minisforum AtomMan G7 PT

Jess Kinghorn
Jess Kinghorn
Hardware Writer

Jess has been writing about games for over ten years, spending the last seven working on print publications PLAY and Official PlayStation Magazine. When she’s not writing about all things hardware here, she’s getting cosy with a horror classic, ranting about a cult hit to a captive audience, or tinkering with some tabletop nonsense.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.