⚠ Actively exploited
Added to CISA KEV on 2025-07-02. Federal agencies required to patch by 2025-07-23. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2025-6554Type Confusion in Google Chrome

CWE-843Type Confusion20 documents15 sources
Severity
8.1HIGHNVD
EPSS
0.9%
top 23.76%
CISA KEV
KEV
Added 2025-07-02
Due 2025-07-23
Exploit
No known exploits
Affected products
3
Google ChromeChromiumPaloalto Prisma Browser
Timeline
PublishedJun 30
KEV addedJul 2
KEV dueJul 23
Latest updateDec 3
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages4 packages

CVEListV5google/chrome138.0.7204.96138.0.7204.96
NVDgoogle/chrome< 138.0.7204.96+1
Debianchromium/chromium< 138.0.7204.92-1~deb12u1+2

🔴Vulnerability Details

4
GHSA
GHSA-mj9c-f5v6-7665: Type confusion in V8 in Google Chrome prior to 1382025-07-01
CVEList
CVE-2025-6554: Type confusion in V8 in Google Chrome prior to 1382025-06-30
OSV
CVE-2025-6554: Type confusion in V8 in Google Chrome prior to 1382025-06-30
VulnCheck
Google Chromium V8 Type Confusion Vulnerability2025

📋Vendor Advisories

7
CISA ICS
Siemens HyperLynx and Industrial Edge App Publisher2025-10-16
Chrome
Long Term Support Channel Update for ChromeOS: CVE-2025-65542025-07-14
Palo Alto
PAN-SA-2025-0013 Chromium: Monthly Vulnerability Update (July 2025)2025-07-09
Microsoft
Chromium: CVE-2025-6554 Type Confusion in V82025-07-08
CISA
Google Chromium V8 Type Confusion Vulnerability2025-07-02

🕵️Threat Intelligence

8
Mandiant
Intellexa’s Prolific Zero-Day Exploits Continue2025-12-03
Mandiant
Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue2025-12-03
Qualys
Patch Automation for Browsers with TruRisk™ Eliminate2025-09-24
Qualys
Automated Browser Patching with Qualys TruRisk™ Eliminate | Qualys2025-09-24
Bleepingcomputer
Google fixes actively exploited sandbox escape zero day in Chrome2025-07-16
CVE-2025-6554 — Type Confusion in Google Chrome | cvebase