Google fixes Chrome zero-day with in-the-wild exploit (CVE-2025-5419)

Google has fixed two Chrome vulnerabilities, including a zero-day flaw (CVE-2025-5419) with an in-the-wild exploit.

About CVE-2025-5419

CVE-2025-5419 is a high-severity out of bounds read and write vulnerability in V8, the JavaScript and WebAssembly engine developed by Google for the Chromium and Chrome web browsers. It allows remote attackers to trigger heap corruption via a crafted HTML page.

It was reported by Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group – a specialized team dedicated to protecting Google users, platforms, and the broader internet from targeted and state-sponsored cyber threats – thus it’s highly likely that the vulnerability is being actively exploited by threat actors.

They reported the vulnerability on May 27 and Google mitigated the issue the following day by pushing out a configuration change to the Stable channel across all Chrome platforms.

As per usual, Google did not share details about the attacks and the exploit, and has temporarily restricted access to bug details and links to allow for most users to get the update with the fix: Chrome v137.0.7151.68 for Windows and Linux, and Chrome v137.0.7151.69 for macOS.

Implementing updates

If you’ve enabled automatic updates in Chrome, the security update has already been downloaded, you just need to restart the browser to implement it.

If you opted for updating manually, you should check for the latest update and install it quickly.

The two vulnerabilities have also been patched in the stable channel of Chromium-based Microsoft Edge.

The Brave, Opera, and Vivaldi browsers are also based on Chromium, so expect fixes for these flaws to be delivered soon.

UPDATE (June 6, 2025, 04:50 a.m. ET):

CVE-2025-5419 has been added to CISA’s Known Exploited Vulnerabilities catalog.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!