You are currently viewing Google Releases Emergency Patch For New Actively Exploited Chrome Zero-Day

Google Releases Emergency Patch For New Actively Exploited Chrome Zero-Day

  • Post author:
  • Reading time:7 mins read

Google has recently released an out-of-band security patch to address a high-severity zero-day vulnerability in its Chrome browser. This vulnerability, tracked as CVE-2025-5419, is actively being exploited in the wild, posing a significant risk to Chrome users. The vulnerability is an out-of-bounds read and write issue within the V8 JavaScript and WebAssembly engine.


Vulnerability Details

The core of the problem lies in the V8 JavaScript and WebAssembly engine, a critical component of the Chrome browser. An out-of-bounds read and write vulnerability occurs when the engine improperly handles memory access, allowing a remote attacker to read or write data outside of the intended memory region. By crafting a malicious HTML page, an attacker can trigger this vulnerability and achieve heap corruption, ultimately leading to code execution.

The vulnerability has an NVD CVSS score of 8.8, indicating its high severity. This means a successful exploit could lead to significant consequences, including arbitrary code execution.


Impact & Exploit Potential

While the exact impact of this particular vulnerability is unknown, the potential impact of heap corruption is severe. By exploiting such a flaw, attackers might be able to achieve the following:

  • Arbitrary Code Execution: Successful exploitation could allow attackers to execute arbitrary code on the victim’s system, leading to complete system compromise.
  • Data Theft: Attackers could potentially read sensitive data from the browser’s memory.
  • System Instability: Heap corruption can lead to unpredictable behavior and system crashes.

Google is aware that an exploit for CVE-2025-5419 exists in the wild, which means that attackers are actively attempting to exploit this vulnerability.


Tactics, Techniques, and Procedures (TTPs)

The exploitation of this vulnerability aligns with the following Tactics, Techniques, and Procedures (MITRE ATT&CK) framework:

  • Tactic: Execution (TA0002)
  • Technique: Exploitation for Client Execution (T1203)
  • Procedure: Attackers craft a malicious HTML page to trigger the out-of-bounds read and write vulnerability in the V8 engine.


Affected Products

The vulnerability affects the following products and versions:

  • Google Chrome versions before 137.0.7151.68 on Windows, macOS, and Linux.
  • Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also potentially affected and require updates as they become available.


Mitigation & Recommendations

To mitigate the risk posed by this vulnerability, it is crucial to take the following steps:

  • Update Chrome Immediately: Users should upgrade to Chrome version 137.0.7151.68/.69 for Windows and macOS, and version 137.0.7151.68 for Linux.
  • Exercise Caution: Be cautious when visiting untrusted websites or opening suspicious links, as these could potentially lead to exploitation.
  • Chromium-based Browsers: Users of Chromium-based browsers like Microsoft Edge, Brave, and Opera should monitor for and apply updates as soon as their respective vendors release them.


Real-World Observations

The discovery and reporting of CVE-2025-5419 was credited to Clement Lecigne and Benoît Sevens of Google Threat Analysis Group (TAG) on May 27, 2025. Google addressed the issue the next day by pushing out a configuration change to the Stable version of the browser across all platforms.

Notably, CVE-2025-5419 is the second actively exploited zero-day vulnerability patched by Google this year. The first, CVE-2025-2783 (CVSS score: 8.3), was identified by Kaspersky as being weaponized in attacks targeting organizations in Russia. This highlights the increasing sophistication and frequency of zero-day exploits targeting widely used software.


Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.