Google has released an emergency security update to address a high-severity zero-day vulnerability in Chrome (CVE-2025-5419), which is already being actively exploited in the wild.
Vulnerability Details
CVE-2025-5419 is an out-of-bounds read and write vulnerability in Chrome’s V8 JavaScript and WebAssembly engine. By crafting a malicious HTML page, remote attackers can trigger heap corruption, potentially leading to arbitrary code execution, data exposure, or application crashes. The flaw affects Chrome versions prior to 137.0.7151.68.
The vulnerability was discovered by Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group (TAG), a team specialized in tracking sophisticated, state-sponsored threats. Its discovery by TAG suggests the exploit may already be leveraged by advanced threat actors, though Google has not disclosed specific attribution or technical details to limit further exploitation before users apply the fix.
Rapid Mitigation
Google responded swiftly, releasing a fix just one day after receiving the report on May 27, 2025. The patch is now available via Chrome version:
- 137.0.7151.68 for Windows and Linux
- 137.0.7151.69 for macOS
Users of Chromium-based browsers (including Microsoft Edge, Brave, Opera, and Vivaldi) should also expect updates in the coming days.
Previous Exploits & Growing Zero-Day Trend
This marks the second actively exploited Chrome zero-day patched by Google in 2025, following CVE-2025-2783 and CVE-2025-4664 earlier this year, both of which were also leveraged for espionage operations.
The repeated targeting of Chrome’s V8 engine underscores the continued focus by nation-state actors and advanced threat groups on browser vulnerabilities as an initial access vector.
OP Innovate Recommendations
- Apply updates immediately. Ensure Chrome is updated to version 137.0.7151.68/.69 or later.
- Restart your browser after updating to fully apply the patch.
- Monitor Chromium-based browsers (Edge, Brave, etc.) for corresponding updates.
- Review threat intelligence feeds for any emerging campaigns leveraging this exploit.
- Implement robust endpoint protection that can mitigate exploit attempts and memory corruption attacks.
As always, OP Innovate continues to track critical vulnerabilities and zero-day threats. For organizations concerned about targeted exploitation or requiring additional security validation, our incident response and continuous penetration testing teams are available to assist.
Stay Secure. Stay Informed.
