Google has just released an emergency update to fix a new security bug in Chrome that was already being exploited by hackers in real attacks. This is the fourth such flaw that the company has had to fix so far this year.
According to Google, they already knew that this flaw (known as CVE-2025-6554) was being exploited by attackers, which is why they acted quickly. The problem was fixed on June 26 with an adjustment that was sent directly to all users of the stable version of Chrome.
The update is now available to everyone who uses Chrome on a computer. These are the corrected versions:
Windows: 138.0.7204.96 and 138.0.7204.97
Mac: 138.0.7204.92 and 138.0.7204.93
Linux: 138.0.7204.96
If you use Chrome, make sure you have the latest version installed to stay protected. It only takes a few seconds and can save you a lot of trouble.
The flaw was discovered by Clément Lecigne, a security expert who is part of Google’s Threat Analysis Group (TAG). This team is dedicated to protecting users from serious attacks, such as those carried out by governments or well-funded groups.
In fact, the Google TAG team often uncovers these kinds of dangerous flaws, which are used by state-sponsored hackers to spy on people like journalists, activists, opposition politicians, and other individuals who may be at risk.
Although security updates can sometimes take a while to reach everyone, Google already had them ready today. If you don’t want to manually check for a new version, don’t worry—Chrome usually checks for updates on its own and installs them automatically the next time you open or restart it.
The security flaw that Google fixed today is quite serious. It’s an error within Chrome’s JavaScript engine (known as V8), which is essentially what makes many websites function properly. This type of error is called “Type Confusion,” and while it may sound technical, the important thing to know is that it can allow hackers to take control of your device if your Chrome browser isn’t up to date.
In some cases, this type of flaw only causes the browser to crash unexpectedly, but in the worst-case scenario, attackers can use it to run malicious code on your computer—as if they were the ones using it.
Google has confirmed that this vulnerability was actively exploited in real-world attacks, but for now, they haven’t shared more technical details. This is standard practice: they prefer to wait until most users have updated their browsers before revealing exactly how the flaw worked, to prevent others from trying to exploit it.
“Sometimes we also limit information if the flaw is in a part of the code used by other programs besides Chrome that haven’t been patched yet,” Google explained.
This is already the fourth time this year that a serious vulnerability of this kind has been discovered and fixed in Chrome. The other three were patched in March, May, and June, highlighting how active threats have become recently.
In March, a severe flaw (CVE-2025-2783) was used for digital espionage against media outlets and government entities in Russia. It was discovered by researchers at Kaspersky.
In May, Google released another urgent update to fix a flaw (CVE-2025-4664) that could have been used to steal user accounts.
In June, another serious issue with the V8 engine was detected by the same Google TAG team that uncovered the current flaw.
And if all this sounds concerning, it’s worth remembering that in 2024 alone, Google had to fix 10 similar flaws, several of them discovered thanks to ethical hacking competitions like Pwn2Own.
Read more: Third-Party Patch Management
Not sure if you’re already protected? Don’t worry—checking is very easy:
Open Google Chrome.
Click the three dots in the top right corner.
Go to “Help” > “About Google Chrome.”
There you’ll see which version you have. The secure versions are:
Windows: 138.0.7204.96 or .97
Mac: 138.0.7204.92 or .93
Linux: 138.0.7204.96
If you’re not on one of those, click “Update” (if it appears) and restart the browser. That’s it!
And heads up: if you use other Chrome-based browsers like Microsoft Edge, Brave, Vivaldi, or Opera, you should update them as soon as possible too. Many of them share the same engine (V8), so they could be affected by the same flaw.