What is Chrome's V8 JavaScript Engine?
V8 is Chrome's JavaScript and WebAssembly engine. Type confusion vulnerabilities in V8 occur when the engine incorrectly treats a value of one type as if it were another — enabling heap read/write primitives that attackers use for arbitrary code execution in the browser. See CVE-2025-13223 for the broader V8 type confusion context.
Overview
CVE-2025-6554 is a type confusion vulnerability (CWE-843) in Chrome's V8 engine that enables arbitrary heap read and write operations via a crafted HTML page. It was exploited as a zero-day before the June 30, 2025 patch — the fourth Chrome zero-day of 2025. CISA added it to the KEV catalog two days after the patch. The availability impact is None (A:N) in this CVE's CVSS, reflecting that the type confusion creates a read/write primitive but not necessarily a crash/denial-of-service path.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Google Chrome | Before June 30, 2025 stable channel update | June 30, 2025 stable channel update |
| Microsoft Edge | Corresponding pre-fix version | June/July 2025 Edge update |
| Other Chromium browsers | Varies | Update per vendor |
Technical Details
The type confusion (CWE-843) in V8 causes the engine to misidentify a JavaScript object's type, creating a mismatch between its actual memory layout and how the engine accesses it. By crafting JavaScript that exploits this type confusion, an attacker can:
- Read arbitrary heap memory by treating a memory region as a different object type than it actually is
- Write attacker-controlled values to arbitrary heap locations
These primitives are the building blocks for a complete V8 exploit chain leading to code execution in the Chrome renderer process. A sandbox escape exploit is additionally needed to reach the OS level.
The zero availability impact (A:N) is unusual — most V8 type confusions can also cause crashes. This suggests the specific bug creates stable read/write primitives without triggering visible exceptions, making it "clean" from an operational exploit reliability perspective.
Discovery
Zero-day exploitation confirmed before patch. Reporter not disclosed.
Exploitation Context
The fourth Chrome/V8 zero-day of 2025 (preceding CVE-2025-6558 in July and CVE-2025-13223 in November). The 2025 Chrome zero-day rate reflects sustained, well-resourced threat actor investment in browser exploitation. V8 type confusion zero-days are used by both nation-state actors (for targeted surveillance) and opportunistic actors (for credential theft and drive-by malware delivery).
Remediation
- Apply the June 30, 2025 Chrome stable channel update or any later version. The CISA deadline was July 23, 2025.
- Update all Chromium-based browsers — V8 is shared across all Chromium derivatives.
- Enable automatic browser updates — the 2-day gap between patch and CISA KEV listing reflects rapid exploitation; prompt updating is essential.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-6554 |
| Vendor / Product | Google — Chromium V8 |
| NVD Published | 2025-06-30 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 8.1 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
| Severity | HIGH |
| CWE | CWE-843 find similar ↗ |
| CISA KEV Added | 2025-07-02 |
| CISA KEV Deadline | 2025-07-23 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-06-30 | Chrome released with fix; zero-day exploitation confirmed |
| 2025-07-02 | CVE published; CISA adds to KEV |
| 2025-07-23 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Chrome Stable Channel Update — June 30, 2025 | Vendor Advisory |
| NVD — CVE-2025-6554 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |