Critical Chrome Zero-Day Vulnerability Actively Under Exploitation; Google Releases Emergency Out-of-Band Security Patch

Google has issued emergency updates for its Chrome browser to rectify three significant security vulnerabilities, one of which is reportedly being actively exploited in the wild.

The critical issue is identified as CVE-2025-5419, relating to an out-of-bounds read and write vulnerability within the V8 JavaScript and WebAssembly engine.

The description of the vulnerability indicates that “out of bounds read and write in V8 in Google Chrome prior to version 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” as documented in the National Vulnerability Database (NVD).

Clement Lecigne and Benoît Sevens from the Google Threat Analysis Group (TAG) discovered and reported this flaw on May 27, 2025. Google promptly addressed the issue a day later through a configuration update to the Stable version of the browser across all platforms.

Typically, advisories of this nature disclose limited details regarding the exploitation techniques employed or the identity of the attackers involved. This approach is aimed at ensuring a majority of users can install the necessary security updates while limiting the potential for further exploitation by malicious actors.

Google has publicly acknowledged, “Google is aware that an exploit for CVE-2025-5419 exists in the wild.”

This vulnerability marks the second actively exploited zero-day addressed by Google in 2025, following CVE-2025-2783, which garnered a CVSS score of 8.3 and was reported by Kaspersky to have been weaponized in attacks aimed at organizations in Russia.

To mitigate potential threats, users are urged to upgrade to Chrome version 137.0.7151.68/.69 for Windows and macOS, and version 137.0.7151.68 for Linux. Users of Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, should also apply the respective fixes as they become available.