
Google has released an unscheduled update for the Chrome browser, addressing three security vulnerabilities—one of which is already being actively exploited in the wild. The most critical among them, identified as CVE-2025-5419 and carrying a CVSS score of 8.8, pertains to improper memory handling within the V8 engine, which is responsible for executing JavaScript and WebAssembly code.
According to the vulnerability description published by the NVD, this flaw allows a remote attacker to trigger heap corruption via a specially crafted HTML page. The issue stems from out-of-bounds memory reads and writes, which may ultimately lead to the execution of arbitrary code on the victim’s device.
The vulnerability was discovered and documented on May 27, 2025, by researchers from Google’s Threat Analysis Group (TAG). Within a day, Google had already integrated a fix into the stable version of Chrome for all supported platforms.
As per established protocol, Google has refrained from disclosing technical details or identifying the actors or groups behind the exploit, in order to prevent widespread abuse before users have had a chance to apply the update. However, the company confirmed that CVE-2025-5419 is indeed being weaponized in real-world attacks.
This marks the second zero-day vulnerability actively exploited in the wild that Google has mitigated in 2025. The first, CVE-2025-2783, was patched earlier after being identified in the course of an investigation by Kaspersky Lab. Both vulnerabilities pose significant risks, potentially enabling covert system breaches via ordinary web pages.
Users are strongly urged to update Chrome to version 137.0.7151.68 or .69 on Windows and macOS, and to version 137.0.7151.68 on Linux. The same advisory applies to all Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi. Developers should integrate the security patches into their respective platforms as soon as they become available.