- Google’s TAG team finds high-severity bug in Chrome V8
- The bug allows threat actors to run arbitrary code on endpoints
- It is being actively exploited, so users should patch now
Google has fixed a high-severity Chrome vulnerability which was allegedly being exploited in the wild, possibly by nation-state threat actors.
In a new security bulletin, Google said it addressed a type confusion issue in Chrome V8, tracked as CVE-2025-6554, which allowed threat actors to perform arbitrary read/write operations, potentially giving way to sensitive data theft, token exfiltration, or even malware and ransomware deployment.
The V8 engine is Google’s open source high-performance JavaScript and WebAssembly engine used in Chrome and other Chromium-based browsers to execute web code efficiently. The bug caused V8 to incorrectly interpret data, leading to unintended behavior. In theory, a threat actor could serve a specially crafted HTML page to a target, which could trigger the RCE.
Nation-states and other adversaries
The bug was given a severity score of 8.1/10 – high, and was addressed in versions 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for macOS, and 138.0.7204.96 for Linux, on June 26.
In the advisory, Google confirmed the bug was being actively abused, but decided not to share any details until the majority of the browsers are patched. Usually, Chrome automatically installs the patches, but just in case, you might want to head over to chrome://settings/help and allow Chrome to look for updates.
While Google kept the details under wraps, knowing who blew the whistle tells us a little more about potential abusers. The bug was discovered by Clément Lecigne of Google’s Threat Analysis Group (TAG), a cybersecurity arm that usually investigates nation-state threat actors.
If TAG was looking into this bug, and we know it’s abused in the wild, then it’s safe to assume that it was used by nation-states in highly targeted attacks. Previous V8 flaws have been abused in campaigns against high-profile targets in the past, including journalists, dissidents, IT admins, and similar people.