Google rolled out urgent fixes for its Chrome browser following the discovery of a critical vulnerability, identified as CVE-2025-5419, that is currently being exploited in the wild. This high-severity flaw affects the V8 JavaScript and WebAssembly engine, and it was promptly addressed by the company in an out-of-band update.
The vulnerability pertains to out-of-bounds read and write issues that could allow a remote attacker to exploit heap corruption through a specifically crafted HTML page. This was confirmed by the National Vulnerability Database, which noted the significance of the flaw.
Discovered by Google Threat Analysis Group (TAG) members Clement Lecigne and Benoît Sevens on May 27, 2025, the company acted swiftly, implementing a configuration change to the Stable version of the browser on May 28. Although specific details on the ongoing attacks remain scarce, the advisory serves to protect users by urging updates before further exploitation can occur.
Google explicitly stated, “Google is aware that an exploit for CVE-2025-5419 exists in the wild,” underscoring the potential threat posed to users who have not yet updated. This is the second zero-day vulnerability addressed by Google this year, following CVE-2025-2783, which was reported as being actively used in attacks targeting organizations in Russia.
To mitigate risks, users are advised to upgrade to Chrome version 137.0.7151.68/.69 for Windows and macOS, and version 137.0.7151.68 for Linux. Similarly, users of other Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, are encouraged to implement necessary updates as they become available.