Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)
Metrics
NVD enrichment efforts reference publicly available information to associate
vector strings. CVSS information contributed by other sources is also
displayed.
CVSS 4.0 Severity and Vector Strings:
NIST: NVD
NVD assessment
not yet provided.
CVSS 3.x Severity and Vector Strings:
NIST: NVD
Base
Score: N/A
NVD assessment
not yet provided.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CVSS 2.0 Severity and Vector Strings:
NIST: NVD
Base
Score: N/A
NVD assessment
not yet provided.
This CVE is in CISA's Known Exploited Vulnerabilities Catalog
Reference
CISA's BOD 22-01 and Known
Exploited Vulnerabilities Catalog for further guidance and requirements.
| Vulnerability Name |
Date Added |
Due Date |
Required Action |
| Google Chromium V8 Type Confusion Vulnerability |
07/02/2025 |
07/23/2025 |
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. |
Weakness Enumeration
| CWE-ID |
CWE Name |
Source |
|
CWE-843
|
Access of Resource Using Incompatible Type ('Type Confusion') |
Chrome
|
Change History
12 change records found show changes
CVE Modified by CISA-ADP
6/17/2026 6:02:08 AM
| Action |
Type |
Old Value |
New Value |
| Added |
SSVC |
|
{"timestamp":"2025-07-17T03:55:36.423228Z","id":"CVE-2025-6554","options":[{"exploitation":"active"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}
|
CVE Modified by Chrome
6/17/2026 6:02:08 AM
| Action |
Type |
Old Value |
New Value |
| Added |
Affected |
|
[{"vendor":"Google","product":"Chrome","versions":[{"version":"138.0.7204.96","lessThan":"138.0.7204.96","versionType":"custom","status":"affected"}]}]
|
Modified Analysis by NIST
10/24/2025 10:11:20 AM
| Action |
Type |
Old Value |
New Value |
| Added |
Reference Type |
|
CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6554 Types: US Government Resource
|
CVE Modified by CISA-ADP
10/21/2025 7:17:09 PM
| Action |
Type |
Old Value |
New Value |
| Added |
Reference |
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6554
|
CVE Modified by CISA-ADP
10/21/2025 4:20:56 PM
| Action |
Type |
Old Value |
New Value |
| Removed |
Reference |
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6554
|
|
CVE Modified by CISA-ADP
10/21/2025 3:21:25 PM
| Action |
Type |
Old Value |
New Value |
| Added |
Reference |
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6554
|
Reanalysis by NIST
7/16/2025 10:13:52 AM
| Action |
Type |
Old Value |
New Value |
| Changed |
CPE Configuration |
AND
OR
*cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* versions up to (excluding) 138.0.7204.92
OR
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
|
AND
OR
*cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* versions up to (excluding) 138.0.7204.92
OR
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
|
| Removed |
CPE Configuration |
AND
OR
*cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* versions up to (excluding) 138.0.7204.96
OR
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
|
|
Reanalysis by NIST
7/15/2025 2:14:10 PM
| Action |
Type |
Old Value |
New Value |
| Added |
CPE Configuration |
|
AND
OR
*cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* versions up to (excluding) 138.0.7204.92
OR
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
|
| Added |
CPE Configuration |
|
AND
OR
*cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* versions up to (excluding) 138.0.7204.96
OR
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
|
| Added |
CPE Configuration |
|
AND
OR
*cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* versions up to (excluding) 138.0.7204.96
OR
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
|
| Removed |
CPE Configuration |
OR
*cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* versions up to (excluding) 138.0.7204.96
|
|
Initial Analysis by NIST
7/03/2025 10:36:33 AM
| Action |
Type |
Old Value |
New Value |
| Added |
CPE Configuration |
|
OR
*cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* versions up to (excluding) 138.0.7204.96
|
| Added |
Reference Type |
|
Chrome: https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_30.html Types: Vendor Advisory
|
| Added |
Reference Type |
|
Chrome: https://issues.chromium.org/issues/427663123 Types: Permissions Required
|
CVE CISA KEV Update by Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
7/02/2025 9:00:02 PM
| Action |
Type |
Old Value |
New Value |
| Added |
Date Added |
|
2025-07-02
|
| Added |
Due Date |
|
2025-07-23
|
| Added |
Required Action |
|
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
|
| Added |
Vulnerability Name |
|
Google Chromium V8 Type Confusion Vulnerability
|
CVE Modified by CISA-ADP
7/01/2025 10:15:41 AM
| Action |
Type |
Old Value |
New Value |
| Added |
CVSS V3.1 |
|
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
|
New CVE Received from Chrome
6/30/2025 6:15:29 PM
| Action |
Type |
Old Value |
New Value |
| Added |
Description |
|
Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)
|
| Added |
CWE |
|
CWE-843
|
| Added |
Reference |
|
https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_30.html
|
| Added |
Reference |
|
https://issues.chromium.org/issues/427663123
|