Chrome Zero-Day in V8 Engine Actively Exploited in the Wild

Google has released an out-of-band security update for Chrome after confirming that CVE-2025-2891, a zero-day vulnerability in the V8 JavaScript engine, is being actively exploited in targeted attacks.

Nature of the vulnerability

The flaw is a type confusion vulnerability in V8 that allows attackers to execute arbitrary code inside the Chrome renderer process by luring victims to a malicious webpage.

How to update

Chrome updates automatically, but users should verify they are on version 124.0.6367.82 or later by navigating to chrome://settings/help.

Who is targeted?

Current intelligence suggests the exploits are being used in targeted attacks against journalists and government officials, though proof-of-concept code could broaden the impact.