Google has released a security update for Chrome desktop, addressing three vulnerabilities, including a critical zero-day flaw in the V8 JavaScript engine that attackers are actively exploiting.
The patch, now rolling out to Windows, Mac, and Linux users via version 137.0.7151.68/.69, aims to protect millions of Chrome users from potential heap corruption attacks.
The zero-day, identified as CVE-2025-5419, was discovered by Clement Lecigne and Benoît Sevens of Google’s Threat Analysis Group (TAG) on May 27, 2025. TAG is known for its focus on identifying sophisticated cyberattacks, including those linked to state-sponsored actors. Within a day, Google mitigated the issue by pushing a configuration change across all stable Chrome platforms. This rapid response highlights the urgency, as Google confirmed it is aware of active exploitation attempts targeting the flaw.
CVE-2025-5419 stems from an out-of-bounds read and write vulnerability in V8, Chrome’s high-performance JavaScript and WebAssembly engine. Specifically, the flaw can be triggered by a maliciously crafted HTML page, enabling remote attackers to achieve heap corruption. Such memory corruption could potentially allow attackers to execute arbitrary code in the context of the browser, opening the door to further compromise of the user’s system. While Google has not released full exploitation details, likely to protect users until patches are widely deployed, the flaw’s high-severity rating (CVSS 8.8) underscores its potential impact.
Chrome, which holds a dominant share of the global browser market with over 60% usage across desktop platforms, relies heavily on the security of components like V8 to deliver fast and safe web experiences. V8 processes JavaScript code at high speed, but its complexity and interaction with low-level memory make it a prime target for attackers. Google uses a variety of fuzzing tools, including AddressSanitizer and libFuzzer, to catch such bugs early, but as this case shows, some issues still slip into production.
In addition to CVE-2025-5419, the June 2 update also patched CVE-2025-5068, a medium-severity use-after-free vulnerability in the Blink rendering engine, reported by an external researcher under the alias Walkman. No active exploitation has been reported for that flaw.
Chrome users should immediately update their browsers to version 137.0.7151.68 (or .69, depending on OS) by navigating to Settings > About Chrome, which triggers an automatic update and restart.
The same flaw impacts Chrome-based browsers like Microsoft Edge and Brave, so a quick update is suggested there, too.
Leave a Reply