Type Confusion in V8 Engine of Google Chrome
CVE-2025-6554
Key Information:
Badges
What is CVE-2025-6554?
CVE-2025-6554 is a severe vulnerability found in the V8 JavaScript engine utilized by Google Chrome, affecting versions prior to 138.0.7204.96. This vulnerability stems from a type confusion issue, allowing attackers to manipulate the way the V8 engine handles different data types. As a result, a malicious actor can execute arbitrary read and write operations on memory through the browser by crafting a malicious HTML page. This situation poses a significant threat to organizations, as it can lead to unauthorized access to sensitive data, manipulation of application behavior, and potentially the introduction of malware into corporate environments.
Potential impact of CVE-2025-6554
-
Unauthorized Data Access: The vulnerability may allow an attacker to read sensitive information from memory, potentially exposing confidential data such as user credentials, financial records, or proprietary business information.
-
Remote Code Execution: The ability to perform arbitrary read/write operations could lead to remote code execution, allowing attackers to control affected systems or execute malicious scripts without user consent, significantly impacting system integrity.
-
Increased Malware Risk: Exploitation of this vulnerability can provide a pathway for malware deployment, potentially leading to deeper system compromises and the establishment of backdoors, which can facilitate further attacks on the organization's network.
CISA has reported CVE-2025-6554
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-6554 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Chrome 138.0.7204.96
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
CVE-2025-6554 marks the fifth actively exploited Chrome Zero-Day patched by Google in 2025
Google released security patches to address multiple Chrome vulnerabilities, including one flaw that has been exploited in the wild.
6 days ago
Grafana Patches Chromium Bugs, Including Zero-Day Exploited in the Wild
Grafana has rolled out security updates to address four high-severity vulnerabilities in the Chromium library used in the Grafana Image Renderer plugin and Synthetic Monitoring Agent.
2 weeks ago
U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Chromium V8 vulnerability to its Known Exploited Vulnerabilities catalog.
2 weeks ago
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 📈
Vulnerability started trending
- 🦅
CISA Reported
- 👾
Exploit known to exist
- 📰
First article discovered by SecurityWeek
Vulnerability published
Vulnerability Reserved