Emergency Chrome Security Update: CMU Community Urged to Patch Immediately
A critical security vulnerability has been discovered in Google Chrome, prompting an emergency patch from Google. The flaw, identified as CVE-2025-6554, affects the browser’s V8 JavaScript engine and is currently being actively exploited in the wild.
What’s the Issue?
The vulnerability is a type confusion bug in Chrome’s V8 engine, which powers JavaScript and WebAssembly. If exploited, it could allow attackers to execute malicious code simply by getting users to visit a compromised website. This could lead to data theft, system compromise, or further malware installation.
Who Is Affected?
Anyone using Google Chrome versions prior to 138.0.7204.96 (Update June 30, 2025) is at risk. This includes users on Windows, macOS, and Linux. Other Chromium-based browsers like Microsoft Edge, Brave, and Opera may also be vulnerable and should be updated as well.
What Should You Do?
The Information Security Office (ISO) strongly advises all students, faculty, and staff to take the following steps immediately:
- Update Chrome:
- Open Chrome.
- Go to chrome://settings/help.
- Chrome will automatically check for updates and install the latest version.
- Restart the browser to apply the update.
- Check Your Version:
- Make sure your Chrome version is 138.0.7204.96 or higher.
- Update Other Browsers:
- If you use Edge, Brave, or Opera, check for updates and apply them as soon as they are released.
- Be Cautious Online:
- Avoid clicking on suspicious links or visiting unfamiliar websites.
For Managed Machines
If you manage lab machines or shared systems:
- Ensure automatic updates are enabled.
- Verify that all endpoints are running the latest browser version.
Stay Informed
The ISO will continue to monitor the situation and provide updates as needed. For questions or assistance, contact iso@andrew.cmu.edu or visit the Information Security Office website.