Google Chrome Patches Actively Exploited Zero-Day Vulnerability
Summary : Security Advisory
Google has released a critical out-of-band security update for its Chrome browser to address CVE-2025-5419.
Rated as high-severity zero-day vulnerability in the V8 JavaScript engine that is currently being actively exploited in the wild.
| OEM | |
| Severity | HIGH |
| CVSS Score | 8.8 |
| CVEs | CVE-2025-5419 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
This vulnerability allows attackers to execute arbitrary code on users’ systems through specially crafted web content, making it a serious threat requiring immediate attention.
In addition to the zero-day fix, this update also includes a patch for CVE-2025-5068, a medium severity use-after-free vulnerability in Blink, chrome’s rendering engine.
While less critical, such flaws can still result in memory corruption and possible code execution.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Out-of-bounds memory access vulnerability | CVE-2025-5419 | Google Chrome | High | 137.0.7151.68/.69 (Win/Mac), 137.0.7151.68 (Linux) |
Technical Summary
This high-severity vulnerability is caused by an out-of-bounds read and write weakness in Chrome’s V8 JavaScript engine, reported one week ago by Clement Lecigne and Benoît Sevens of Google’s Threat Analysis Group.
This flaw affects the V8 JavaScript engine and allows attackers to execute arbitrary code via crafted web content.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-5419 | Chrome (all platforms) | Out-of-bounds read and write in the V8 JavaScript engine; triggered via malicious HTML | Arbitrary code execution, memory compromise, remote attack |
Remediation:
Apply Patches Promptly: Upgrade to Chrome version 137.0.7151.68/.69 or later for Windows and macOS, and 137.0.7151.68 or later for Linux to mitigate the vulnerabilities.
General Recommendation:
- Prioritize Zero-Day Fixes: Treat this patch as high priority due to confirmed in-the-wild exploitation. Immediate action is critical to prevent potential system compromise.
- Update Chromium-Based Browsers: Ensure Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi are updated as soon as vendor-specific patches are released.
- Automate Browser Updates: Enable automatic updates in Chrome and Chromium environments to maintain timely patching against emerging threats.
- Enterprise Patch Rollout: Administrators should fast-track deployment of the fixed version across all endpoints, particularly in high-risk or externally exposed environments.
- Monitor for Threat Activity: Continuously monitor browser and network activity for signs of exploitation attempts targeting vulnerable versions.
Conclusion:
CVE-2025-5419 poses a significant security risk with confirmed active exploitation in the wild.
Google’s swift action highlights the urgency of this threat. All users are strongly advised to update their Chrome browsers immediately. Delaying this update could expose systems to compromise through malicious web content exploiting this zero-day vulnerability.
While Chrome will automatically update when new security patches are available, users can speed up the process by going to the Chrome menu > Help > About Google Chrome, letting the update finish, and clicking the ‘Relaunch’ button to install it immediately.
References: