Google Rushes Fix for Live Chrome Zero-Day as Microsoft Patches 130 Flaws

Google has issued an emergency update for Chrome after confirming that a high-severity zero-day vulnerability, tracked as CVE-2025-6554, is being actively exploited. The type-confusion flaw in the browser’s V8 JavaScript and WebAssembly engine allows remote attackers to gain arbitrary read and write access simply by luring users to a malicious web page. Chrome has been upgraded to versions 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for macOS and 138.0.7204.96 for Linux, with the company urging users of Chrome and other Chromium-based browsers to restart their applications immediately. The bug, discovered on 25 June by Google Threat Analysis Group researcher Clément Lecigne, is the fourth Chrome zero-day patched so far this year. A week later, Microsoft released its July 2025 Patch Tuesday bundle, addressing 130 security flaws across Windows, Office, Edge, Azure and other products. The company said none of the vulnerabilities is known to have been exploited, but security researchers singled out CVE-2025-47981—a ‘wormable’ remote-code-execution bug in the SPNEGO authentication protocol with a CVSS score of 9.8—and CVE-2025-49719, a publicly disclosed SQL Server information-disclosure issue rated 7.5. Ten of the patched vulnerabilities are classified as critical. While Microsoft’s update marks its first Patch Tuesday this year without a confirmed in-the-wild exploit, experts warn that the SPNEGO flaw could attract attacks within 30 days. Organisations are being advised to fast-track both the Chrome and Microsoft patches, review exposure of Chromium-based browsers and server components, and monitor networks for signs of exploitation.