Chrome Zero-Days: Critical Security Vulnerabilities Exploited in the Wild (July 2025)
GlyphIQ
Google Chrome users have faced a one-two punch of critical “zero-day” vulnerabilities in recent weeks. In the past two weeks (late June to early July 2025), Google scrambled to patch at least one major Chrome security flaw that attackers were actively exploiting before a fix was available - the very definition of a zero-day.
In this comprehensive report, we’ll break down each critical Chrome zero-day uncovered or patched in this period, explaining what the vulnerabilities are, who found them, how they were exploited, and why they matter. We’ll also provide an easy-to-follow timeline of discovery and disclosure for each issue, and most importantly, what you should do to stay safe.
What Happened? A Quick Overview of Recent Chrome Zero-Days
In late June 2025, Google’s Chrome browser was hit with a serious security bug that was under active attack by malicious actors. This prompted Google to issue an emergency update to Chrome’s stable version on all platforms. This vulnerability, now tracked as CVE-2025-6554, turned out to be the fourth Chrome zero-day exploit revealed in 2025.
For context, earlier in the year Chrome had already seen three other zero-day flaws (in March, May, and June), including one used in high-profile espionage campaigns. The flurry of patches underscores how determined attackers are at finding cracks in the world’s most popular web browser - and how fast Google is moving to plug them.
Understanding Zero-Day Vulnerabilities
Before we dive into the details of each flaw, let’s clarify what “zero-day” means: it refers to vulnerabilities that attackers discovered before a patch was available, giving victims zero days to fix it. These are the kinds of bugs hackers love - they can silently compromise systems until the vendor rushes out a fix.
Chrome’s recent zero-days have been particularly severe, allowing attackers to potentially execute arbitrary code on your device just by getting you to visit a malicious website. In other words, simply browsing could infect you if your browser isn’t up to date.
CVE-2025-6554 - Type Confusion in V8 (Late June 2025)
Technical Details
CVE-2025-6554 is a high-severity type confusion vulnerability in Chrome’s V8 JavaScript engine, and it was being actively exploited in the wild in late June 2025. This flaw is essentially an error in Chrome’s memory handling.
In technical terms, Chrome prior to version 138.0.7204.96 was susceptible to a type confusion bug in V8, which “allowed a remote attacker to perform arbitrary read/write operations via a crafted HTML page.” In plain language, an attacker could craft a malicious website such that when you visited it, the bug would misidentify data types in the JavaScript engine.
This confusion would let the attacker manipulate memory in unexpected ways, possibly causing Chrome to execute the attacker’s code or crash. It’s the kind of vulnerability that can lead directly to spyware installation or other malware delivery with no warning to the user.
Discovery and Timeline
| Date | Event |
|---|---|
| June 25, 2025 | Vulnerability reported by Clément Lecigne (Google TAG) |
| June 26, 2025 | Server-side mitigation deployed (within 24 hours) |
| June 30, 2025 | Emergency client update released (v138.0.7204.96) |
This zero-day was discovered by Clément Lecigne of Google’s Threat Analysis Group (TAG), a team that specializes in hunting sophisticated, state-sponsored threats. Google’s response was remarkably swift - within 24 hours, they deployed a server-side configuration change to mitigate the issue for Chrome users on the Stable channel.
Who Found It and Why It Matters
Clément Lecigne is a well-known researcher on Google’s TAG team. TAG often detects exploits being used by government-backed hackers or commercial spyware vendors. The fact that TAG itself discovered CVE-2025-6554 signals it may have been weaponized in highly targeted attacks - possibly involving nation-state actors or surveillance operations.
Google publicly acknowledged awareness that “an exploit for CVE-2025-6554 exists in the wild,” meaning hackers were already using it to attack unsuspecting users. Google hasn’t published details on who exactly was exploiting this flaw, but TAG’s involvement hints at a sophisticated adversary.
Affected Versions
- Windows/Linux: Chrome versions before 138.0.7204.96
- macOS: Chrome versions before 138.0.7204.92
- Android: Chrome versions before 138.0.7204.63
- Severity: High (CVSS 8.1)
CVE-2025-5419 - Out-of-Bounds Read/Write in V8 (June 2025)
Technical Details
Just a few weeks before the CVE-2025-6554 saga, Chrome faced another serious zero-day known as CVE-2025-5419. This was an “out-of-bounds read and write” memory vulnerability in Chrome’s V8 engine - again in the core component that executes JavaScript and WebAssembly.
In simpler terms, CVE-2025-5419 was a memory corruption bug: Chrome could be tricked into reading or writing data outside the bounds of what it should, potentially leading to heap corruption and giving attackers a path to run arbitrary code.
Discovery and Timeline
| Date | Event |
|---|---|
| May 27, 2025 | Vulnerability reported by Clément Lecigne & Benoît Sevens (Google TAG) |
| May 28, 2025 | Server-side mitigation deployed |
| June 2, 2025 | Emergency update released (v137.0.7151.68) |
| June 3, 2025 | Public announcement of active exploitation |
Discovery Credit and Exploitation
The discovery credit goes to Google’s TAG team researchers Clément Lecigne and Benoît Sevens. This is notable because TAG typically hunts for signs of active exploitation by sophisticated threat actors.
Google confirmed “Google is aware that an exploit for CVE-2025-5419 exists in the wild.” By mid-2025, CVE-2025-5419 was added to the U.S. CISA’s Known Exploited Vulnerabilities catalog with a directive for organizations to patch it by late June - strong evidence that authorities viewed it as a clear and present danger.
Affected Versions
- All Platforms: Chrome versions before 137.0.7151.68
- Microsoft Edge: Fixed in v137.0.3296.62
- Severity: High (CVSS 8.8)
A Broader Trend: Chrome Zero-Days and Why They Keep Appearing
The two vulnerabilities above came back-to-back, putting Chrome users at heightened risk. They weren’t isolated incidents - they form part of a broader trend of recurring Chrome zero-day exploits in recent years.
2025 Chrome Zero-Day Statistics
- Total Zero-Days in 2025: 4 (as of July)
- 2024 Comparison: 10 zero-day vulnerabilities patched
- Trend: 2025 on track to match or exceed 2024 numbers
Why This Keeps Happening
Several factors contribute to the ongoing Chrome zero-day problem:
- Target Attractiveness: Chrome’s popularity makes it a high-value target
- Complexity: Modern browsers are incredibly complex, creating attack surfaces
- Motivated Adversaries: Nation-states and criminal groups invest heavily in browser exploits
- Memory Safety: C++ codebase still vulnerable to memory corruption issues
Common Attack Patterns
Most recent Chrome zero-days share certain characteristics:
- V8 Engine Targets: JavaScript engine remains a primary attack vector
- Memory Corruption: Type confusion and out-of-bounds access are common
- TAG Discovery: Google’s own security team finding many exploits suggests sophisticated attackers
- Rapid Exploitation: Attackers quickly weaponize newly discovered vulnerabilities
How to Stay Safe - Security Recommendations
Immediate Actions
1. Check and Update Your Chrome Version
- Open Chrome menu (three-dot icon)
- Go to Help > About Google Chrome
- Verify you have version 138.0.7204.96 or higher
- Restart Chrome to apply updates
2. Update Chromium-Based Browsers
If you use other browsers, update them as well:
- Microsoft Edge
- Brave
- Opera
- Vivaldi
These browsers share the Chromium engine and were likely vulnerable to the same issues.
Long-Term Security Practices
Enable Automatic Updates
- Ensure Chrome auto-update is enabled (default setting)
- Restart Chrome regularly to apply pending updates
- Monitor update status in enterprise environments
Safe Browsing Habits
- Use Chrome’s Safe Browsing feature (enabled by default)
- Be cautious with suspicious links, especially in emails
- Avoid clicking unknown or untrusted websites
- Keep security software updated
Additional Security Layers
- Antivirus Software: Maintain reputable anti-malware protection
- Browser Extensions: Consider security-focused extensions
- Network Security: Use firewalls and network monitoring where possible
For IT Administrators
Patch Management
- Implement automated Chrome updates across all systems
- Monitor browser versions organization-wide
- Test updates in staging environments for critical systems
- Maintain update compliance reporting
Security Monitoring
- Monitor for signs of browser exploitation
- Implement endpoint detection and response (EDR) solutions
- Keep security teams informed about zero-day threats
- Regularly audit browser security configurations
Security Recommendations Summary
Quick Security Checklist:
- ✅ Update Chrome to version 138.0.7204.96 or higher
- ✅ Enable automatic updates
- ✅ Update other Chromium-based browsers
- ✅ Implement safe browsing practices
- ✅ Monitor security news for future threats
Technical Impact Analysis
Attack Vectors
Both vulnerabilities could be exploited through:
- Malicious Websites: Simply visiting a crafted webpage
- Compromised Legitimate Sites: Exploits hidden in advertisements or injected content
- Targeted Attacks: Spear-phishing campaigns with exploit links
Potential Consequences
Successful exploitation could lead to:
- Arbitrary Code Execution: Running malware on the victim’s system
- Data Theft: Accessing browser-stored credentials and sensitive information
- System Compromise: Potential sandbox escapes leading to full system access
- Surveillance: Installation of spyware or monitoring tools
Industry Response and Future Outlook
Vendor Responses
- Google: Rapid emergency patching and server-side mitigations
- Microsoft: Quick Edge updates to address Chromium vulnerabilities
- Security Community: Widespread alerts and update recommendations
Future Trends
The ongoing Chrome zero-day situation suggests several trends:
- Increased Investment in Browser Security: Expect more security features and mitigations
- Memory Safety Initiatives: Google’s push toward memory-safe languages
- Enhanced Detection: Improved threat hunting and exploitation detection
- Faster Response Times: Continued improvement in patch deployment speed
Conclusion
The recent Chrome zero-days (CVE-2025-6554 and CVE-2025-5419) demonstrate that browser security remains a critical concern in 2025. While Google’s security team responded quickly to both threats, the fact that they were actively exploited in the wild highlights the ongoing cat-and-mouse game between security researchers and malicious actors.
The key takeaway for users is clear: keep your browser updated. Chrome’s automatic update mechanism provides excellent protection, but only if users restart their browsers regularly to apply patches. For organizations, implementing robust patch management and security monitoring is essential.
As browsers continue to evolve and become more complex, we can expect the zero-day threat to persist. However, with proper security practices and vigilant updating, users can significantly reduce their risk of becoming victims of these sophisticated attacks.
Stay informed about the latest security threats and always keep your software updated. Your digital security depends on it.