Google has released an emergency security update for its Chrome browser to fix a high-risk zero-day vulnerability that is already being used by attackers in the wild. This unexpected out-of-band update addresses three total security flaws, including one major bug tracked as CVE-2025-5419 with a high severity rating of 8.8 out of 10 on the CVSS scale.
This critical bug affects V8, Chrome’s JavaScript and WebAssembly engine. It’s a memory-related vulnerability known as an “out-of-bounds read and write” flaw. This means an attacker can craft a malicious HTML page to corrupt memory on your system, potentially gaining access to sensitive information or even executing malicious code remotely.
CVE-2025-5419
CVE-2025-5419 is a serious security flaw found in the Chrome browser. The bug occurs in V8, the part of Chrome that handles JavaScript code. Attackers can take advantage of this bug by tricking users into visiting a specially crafted web page. Once on that page, the vulnerability can be exploited to read or write data outside of what the browser normally allows. This may lead to heap corruption, which could allow the attacker to run unauthorized code on your device.
This vulnerability affects Chrome versions earlier than 137.0.7151.68.
The vulnerability was discovered and reported on May 27, 2025, by Clement Lecigne and Benoît Sevens from Google’s Threat Analysis Group (TAG). This team specializes in detecting sophisticated attacks, often carried out by state-sponsored or advanced threat actors.
In response, Google quickly issued a configuration fix the very next day—on May 28, 2025—to its Stable version of Chrome for all major platforms, including Windows, macOS, and Linux.
What makes this vulnerability especially dangerous is that it’s already being actively exploited in real-world attacks. Google has confirmed that hackers are using this flaw to target users, although the company hasn’t revealed details about the nature of the attacks or who is behind them.
This lack of detail is intentional. By keeping the information limited, Google hopes to prevent other cybercriminals from learning about the flaw before users have a chance to update their browsers.
This is the second Chrome zero-day exploited in 2025. The first was CVE-2025-2783, which had a CVSS score of 8.3 and was reportedly used in targeted attacks on organizations in Russia, according to cybersecurity firm Kaspersky.
Who Is at Risk?
Everyone who uses Google Chrome or a Chromium-based browser is at risk. This includes not only Chrome users but also people using:
Microsoft Edge
Brave
Opera
Vivaldi
These browsers share the same underlying Chromium engine, and therefore, they may also be affected by the same flaw. Users of these browsers should watch for updates and apply them as soon as possible.
To stay protected, users should update Chrome immediately to the latest fixed version:
For Windows and macOS: Update to Chrome version 137.0.7151.68 or 137.0.7151.69
For Linux: Update to Chrome version 137.0.7151.68
To update Chrome manually:
Open the Chrome browser.
Click the three vertical dots in the upper-right corner.
Go to Help > About Google Chrome.
Chrome will automatically check for updates and install the latest version.
Restart the browser to complete the update.
If you’re using another Chromium-based browser, check the browser’s website or settings page to ensure you receive the necessary patch when it becomes available.
A zero-day vulnerability is a security flaw that is discovered and exploited before developers have a chance to fix it. Because there is no patch available at the time of the attack, users are extremely vulnerable.
Once a zero-day is publicly known, cybercriminals often rush to exploit it. That’s why fast action by software vendors—and quick updates by users—are crucial.
Google’s rapid response to CVE-2025-5419 highlights the importance of staying current with software updates. Cyberattacks are evolving fast, and browsers like Chrome are a frequent target due to their widespread use.
If you haven’t updated your browser recently, now is the time to do it. Ignoring this critical update could leave your system open to serious cyber threats, including data theft, spyware installation, or worse.
Interesting Article : Three Zero-Day Bugs in Qualcomm Chips Patched After Active Exploits
Pingback: CVE-2025-37093: HPE StoreOnce Bug Enables Remote Authentication Bypass