On Monday, Google released an out-of-band fix to address three security issues in the Chrome browser.
The high-strength defect is tracked as CVE-2025-5419 and flagged vulnerabilities in the V8 JavaScript and WebAssembly engine as read and write-free.
“There was no reads and writes on V8 in Google Chrome before 137.0.7151.68. Remote attackers were able to potentially exploit heap corruption via crafted HTML pages,” reads Nist’s National Ulnerability Database (NVD) bug description.
Google has identified and reported seven defects on May 27, 2025, Clement Leciigne and Benoît Sevens of the Google Threat Analysis Group (TAG). We also noted that the issue was addressed the next day by pushing stable versions of browser configuration changes across all platforms.
As is conventional, this advisory is light on the nature of attacks that exploit vulnerabilities and the details of the identities of the threat actors violating them. This is done to prevent the majority of users being updated with fixes and other bad actors from taking part in the exploitation bandwagon.
“Google recognizes that the CVE-2025-5419 exploit is present in the wild,” admitted Tech Giant.
CVE-2025-5419 is the second active zero day Google patched this year after CVE-2025-2783 (CVSS score: 8.3).
Users are advised to upgrade to Chrome version 137.0.7151.68/.69 for Windows and MacOS. Linux is version 137.0.7151.68 to protect against potential threats. It is also recommended that users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi also apply the fix when it becomes available.
Source link
