- Google’s tag team finds a high severity bug in Chrome V8
- The bug allows threat actors to execute arbitrary code on the termination points
- It is actively used, so users should patcher now
Google has set high severity chrome vulnerability that would have been exploited in the wild, perhaps by actors of the national threat.
In a new security bulletin, Google said it had tackled a type confusion problem in Chrome V8, followed as CVE-2025-6554, which allowed threat stakeholders to carry out arbitrary reading / writing operations, potentially give way to a sensitive data theft, token exfiltration or even a malicious deployment and deployment.
The V8 engine is the JavaScript and Weba Source Open Source of Google used by Google used in Chrome and other browsers based on chrome to perform the web code effectively. The bug caused the incorrect data interpretation, leading to involuntary behavior. In theory, a threat actor could serve a HTML page specially designed to a target, which could trigger the RCE.
Nation states and other adversaries
The bug received a gravity score of 8.1/10 – a high and was discussed in versions 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for MacOS and 138.0.7204.96 for Linux, June 26.
In the opinion, Google confirmed that the bug was actively mistreated, but decided not to share any details before the majority of navigators were corrected. Usually Chrome automatically installs the fixes, but just in case you may want to go to Chrome: // Settings / Help and allow Chrome to search for updates.
While Google has kept the details under the Wraps, who whistled tells us a little more about potential attackers. The bug was discovered by Clément Lecigne of the Google threat analysis group (TAG), a branch of cybersecurity which generally investigates actors in the nation state threats.
If Tag examined this bug and we know that it is abused in nature, it is prudent to assume that it has been used by nation states in very targeted attacks. Previous V8 defects have been mistreated in campaigns against high -level targets in the past, including journalists, dissidents, computer administrators and similar people.
Via Infosecurity magazine
