- The Google label team finds a high severity error in Chrome V8
- The error allows the threat actors to execute arbitrary code at end points
- It is actively exploited, so users should patch now
Google has solved a high severity Chrome vulnerability that was supposedly exploited in nature, possibly by actors of state-nation threats.
In a new security bulletin, Google said he addressed a problem of type confusion in Chrome V8, tracked as CVE-2025-6554, which allowed the threat actors to carry out arbitrary reading/writing operations, potentially giving way to the theft of delicate data, the exfiltration of Token, or even the deployment of malware and ransomware.
The V8 engine is the JavaScript and Webassembly high -performance open source Google engine used in Chrome and other chromium -based browsers to execute the web code efficiently. The error made V8 incorrectly interpret the data, which led to unwanted behavior. In theory, a threat actor could serve an HTML page specially elaborated to an objective, which could trigger the RCE.
NATION AND OTHER ADVERSARY
The error received a gravity score of 8.1/10 – high, and was addressed in versions 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for macOS and 138.0.7204.96 for Linux, on June 26.
In the notice, Google confirmed that the error was actively abused, but decided not to share any detail until most browsers are repaired. In general, Chrome automatically installs the patches, but just in case, you may want to go to Chrome: // configuration/help and allow Chrome to look for updates.
While Google kept the details secret, knowing who blew the whistle tells us a little more about possible abusers. The error was discovered by CLÉMMENT LECIGNE of the Threat Analysis Group (TAG) of Google, a cybersecurity arm that generally investigates the actors of state-nation threats.
If Tag was investigating this error, and we know that it is abused in nature, then it is safe to assume that it was used by the nation’s states in highly specific attacks. The previous V8 defects have been abused in campaigns against high profile objectives in the past, including journalists, dissidents, IT administrators and similar people.
Through Infosecurity magazine
