- Google Chrome fixes out-of-bounds read and write vulnerability in V8
- It’s being exploited in the wild, so be on your guard
- Chrome usually updates automatically, but it wouldn’t hurt to check
Google has patched a zero-day vulnerability recently discovered in its Chrome desktop browser which it says is being actively exploited in the wild, so users should apply the fix as soon as possible.
The bug is described as an out-of-bounds read and write vulnerability present in V8, tracked as CVE-2025-5419, and has been given a severity score of 8.8 (high).
V8 is an open source JavaScript engine used primarily in Chrome and Node.js. It was developed by Google, and powers many of today’s key productivity apps, such as Google Docs, or Gmail.
Forcing the update
In theory, a threat actor could create a malicious website which would execute arbitrary code on the victim’s system while visiting. That could potentially lead to full system compromise, data theft, or additional malware deployment.
The bug is fixed in version 137.0.7151.68, and users are advised to upgrade immediately. Patches are out for Windows, macOS, and Linux.
Usually, Chrome updates automatically upon a new launch. However, users can do it manually by navigating to the Chrome menu > Help > About Google Chrome, checking for updates, and clicking the “Relaunch” button.
The company said the vulnerability is being abused in the wild, but did not want to share additional details before the majority of Chrome browsers are updated, adding it was, “aware that an exploit for CVE-2025-5419 exists in the wild.”
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
This is the third Chrome zero-day vulnerability fixed in 2025, as two more were patched in March and May. In 2024, the company fixed a total of 10 zero-day flaws.
Via BleepingComputer
