Article Information
Article Body
Google has released emergency patches for its Chrome browser, addressing three security vulnerabilities, one of which is being actively exploited by attackers.
The high-severity vulnerability, identified as CVE-2025-5419, is an out-of-bounds read and write issue in the V8 JavaScript and WebAssembly engine.
According to the description on the NIST’s National Vulnerability Database (NVD), “Out of bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.”
Credit for discovering and reporting the flaw goes to Clement Lecigne and Benoît Sevens of Google Threat Analysis Group (TAG) on May 27, 2025. Google addressed the issue the next day by pushing out a configuration change to the Stable version of the browser across all platforms.
As is standard practice, Google’s advisory does not provide detailed information about the nature of the attacks or the identities of the threat actors involved, to prevent further exploitation and to allow the majority of users to apply the fix.
Google confirmed that an exploit for CVE-2025-5419 exists in the wild, marking the second actively exploited zero-day vulnerability patched by the company this year, following CVE-2025-2783 (CVSS score: 8.3), which was used in attacks targeting organizations in Russia.
To protect against potential threats, users are advised to upgrade to Chrome version 137.0.7151.68/.69 for Windows and macOS, and version 137.0.7151.68 for Linux. Additionally, users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should apply the fixes as soon as they become available.
