Chrome browser is vulnerable to a security vulnerability being exploited in the wild. Tracked as CVE-205-6554, this is a type confusion vulnerability in V8. Clément Lecigne of Google’s Threat Analysis Group discovered and reported the vulnerability to Google.
Google mentioned in the advisory that the vulnerability is being exploited in the wild. Analysts report that exploits in core browser engines such as Chrome’s V8 are high-value targets often weaponized by nation-state actors. Specifically, type confusion flaws in V8 have previously been leveraged for sandbox escapes. While this suggests interest from APTs, no specific group name has been publicly attributed yet.
This is the fourth zero-day vulnerability Google has patched since the start of the year. The previous two are:
CISA acknowledged the vulnerability’s active exploitation by adding it to its Known Exploited Vulnerabilities Catalog and urging users to patch it before July 23, 2025.
Affected Versions
The vulnerability affects Google Chrome versions before 138.0.7204.96.
Mitigation
Customers must upgrade to the latest stable channel version 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for Mac, and 138.0.7204.96 for Linux.
For more information, please refer to the Google Chrome Release Page.
Microsoft has released the Microsoft Edge Stable Channel (Version 138.0.3351.65) to address CVE-2025-6554, which the Chromium team has reported as being exploited in the wild.
Qualys Detection
Qualys customers can scan their devices with QIDs 383440 and 383446 to detect vulnerable assets.
Rapid Response with Patch Management (PM)
Qualys Patch Management and its Zero-Touch Patching feature provide a seamless, automated process of patching a vulnerability like this.
Zero-Touch Patching identifies the most vulnerable products in your environment and automates the deployment of necessary patches and configuration adjustments. This streamlines the patching process and ensures vulnerabilities are addressed promptly.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_30.html
