Google fixes sort confusion flaw in Chrome browser
Google has pushed an emergency replace to the extensively used Chrome browser after figuring out an actively exploited zero-day vulnerability within the product, the fourth discovered up to now in 2025.
Tracked as CVE-2025-6554, it’s described as a kind confusion flaw within the Google-developed V8 JavaScript engine that compiles and executes JavaScript code in Chromium-based browsers.
It was recognized by the Google Risk Evaluation Group’s (TAG’s) Clément Lecigne on 25 June, and stuck the next day by a configuration change that has by now been pushed out to the steady channel on all platforms.
Left unchecked, the US Nationwide Vulnerability Database (NVD) – which is operated by the Nationwide Institute for Requirements and Expertise (NIST) – mentioned the high-severity vulnerability might have allowed distant attackers to carry out arbitrary learn or write actions through a specifically crafted HTML web page.
In layman’s phrases, this implies susceptible Chrome customers lured into visiting an attacker-controlled web site could also be uncovered to assaults by which menace actors set up malware, together with adware, on their units, or take different malicious actions equivalent to bypassing safety restrictions to conduct deeper lateral motion of their surroundings or accessing and stealing confidential knowledge.
“Google is conscious that an exploit for CVE-2025-6554 exists within the wild,” Google mentioned in its replace discover.
Nonetheless, given the replace might take some time to filter right down to all Chrome customers, Google offered no additional technical particulars of the problem past the very fact an exploit seems to be being utilized in cyber assaults. Notice that the Google TAG continuously screens and reviews on state-backed cyber exercise, however this isn’t essentially an indicator of attribution to any such menace nexus.
Chrome customers can examine whether or not or not their browser is updated by navigating to the Assist menu through the three-dot icon within the high proper nook of their browser window, after which clicking via to About Google Chrome. Normally, doing so ought to robotically set off the replace if it has not but been utilized.
What are sort confusion bugs?
A sort confusion vulnerability arises when a program makes an inaccurate assumption about the kind of an object useful resource and tries to entry or use it as if it have been the assumed sort. This throws up errors and undesirable behaviours equivalent to crashes, knowledge corruption and incorrect reminiscence entry, or on this occasion, enabling arbitrary code execution.
Attackers can reap the benefits of these circumstances by writing particular JavaScript code to set off incorrect sort assumptions inside V8.
These bugs are likely to pop up in C and C++ coding languages – Chrome and V8 are each written in C++ – that make do with reminiscence security mechanisms, however based on SOCRadar, have been seen in PHP and Perl code as properly.
Moreover net browsers equivalent to Chrome, Firefox or Safari, they’ll additionally happen in PDF readers, different JavaScript engines moreover V8, or working system elements.
Builders can keep away from introducing sort confusion flaws into their software program by conducting acceptable sort checking at compile and runtime, utilizing memory-safe languages if potential, implementing runtime sort verification checks, conducting code critiques that target sort casting, and utilizing static evaluation instruments to detect potential points down the road.
