Google on Monday released out-of-band fixes to address three security issues in its Chrome browser, including one that it said has come under active exploitation in the wild.
The high-severity flaw is being tracked as CVE-2025-5419, and has been flagged as an out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine.
“Out of bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” reads the description of the bug on the NIST’s National Vulnerability Database (NVD).
Google credited Clement Lecigne and Benoît Sevens of Google Threat Analysis Group (TAG) with discovering and reporting the flaw on May 27, 2025. It also noted that the issue was addressed the next day by pushing out a configuration change to the Stable version of the browser across all platforms.
As is customary, the advisory is light on details regarding the nature of the attacks leveraging the vulnerability or the identity of the threat actors perpetrating them. This is done so to ensure that a majority of users are updated with a fix and to prevent other bad actors from joining the exploitation bandwagon.
“Google is aware that an exploit for CVE-2025-5419 exists in the wild,” the tech giant acknowledged.
CVE-2025-5419 is the second actively exploited zero-day to be patched by Google this year after CVE-2025-2783 (CVSS score: 8.3), which was identified by Kaspersky as being weaponized in attacks targeting organizations in Russia.
Users are recommended to upgrade to Chrome version 137.0.7151.68/.69 for Windows and macOS, and version 137.0.7151.68 for Linux to safeguard against potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.
