Recommended reading

Google quietly released a security fix for a worrying Chrome zero-day flaw, so patch now

News
By published

Third Google Chrome zero-day of the year fixed

Google Chrome
(Image credit: Monticello / Shutterstock)
  • Google Chrome fixes out-of-bounds read and write vulnerability in V8
  • It's being exploited in the wild, so be on your guard
  • Chrome usually updates automatically, but it wouldn't hurt to check

Google has patched a zero-day vulnerability recently discovered in its Chrome desktop browser which it says is being actively exploited in the wild, so users should apply the fix as soon as possible.

The bug is described as an out-of-bounds read and write vulnerability present in V8, tracked as CVE-2025-5419, and has been given a severity score of 8.8 (high).

V8 is an open source JavaScript engine used primarily in Chrome and Node.js. It was developed by Google, and powers many of today’s key productivity apps, such as Google Docs, or Gmail.

Forcing the update

In theory, a threat actor could create a malicious website which would execute arbitrary code on the victim’s system while visiting. That could potentially lead to full system compromise, data theft, or additional malware deployment.

The bug is fixed in version 137.0.7151.68, and users are advised to upgrade immediately. Patches are out for Windows, macOS, and Linux.

Usually, Chrome updates automatically upon a new launch. However, users can do it manually by navigating to the Chrome menu > Help > About Google Chrome, checking for updates, and clicking the “Relaunch” button.

The company said the vulnerability is being abused in the wild, but did not want to share additional details before the majority of Chrome browsers are updated, adding it was, “aware that an exploit for CVE-2025-5419 exists in the wild.”

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed."

This is the third Chrome zero-day vulnerability fixed in 2025, as two more were patched in March and May. In 2024, the company fixed a total of 10 zero-day flaws.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.