Critical Chrome Vulnerability Mitigated: Urgent Update Recommended

Google has implemented an important update for the Chrome browser, addressing an actively exploited security vulnerability.

This update upgrades the Stable channel to versions 137.0.7151.68/.69 for Windows and Mac, and 137.0.7151.68 for Linux.

Automatic updates are the most convenient method for maintaining Chrome’s security; however, users may find themselves lagging if the browser is rarely closed or if an issue arises, such as an extension preventing the update.

For manual installation, navigate to the “more menu” (three stacked dots) > Settings > About Chrome. If an update is available, Chrome will notify you and initiate the download. To finalize the update, simply relaunch the browser to ensure protection against the identified vulnerability.

This update is essential as it resolves a vulnerability that could be exploited by attackers through a specially crafted HTML page.

Technical details

The vulnerability, tracked as CVE-2025-5419, pertains to an out-of-bounds read and write issue in Google Chrome’s V8 engine, which processes JavaScript. Prior to version 137.0.7151.68, this flaw allowed potential remote exploitation leading to heap corruption via malicious HTML pages.

V8 has historically been a significant source of security vulnerabilities.

An out-of-bounds read and write vulnerability allows attackers to manipulate areas of device memory that should remain inaccessible. Such flaws permit a program to read or write beyond its allocated boundaries, thereby granting attackers access to manipulate memory reserved for critical functions. This can result in code being executed with unauthorized permissions.

Google is aware that CVE-2025-5419 is actively exploited in the wild, although specific details regarding the perpetrators, methods of exploitation in real-world scenarios, or targeted entities remain undisclosed. The Google Threat Analysis Group (TAG), which uncovered this exploit, specializes in monitoring spyware and state-sponsored attackers who utilize zero-day vulnerabilities for espionage.

This Chrome update also addresses a medium-severity use-after-free vulnerability (CVE-2025-5068) in the open-source Blink rendering engine, along with another internally identified vulnerability.