Google has issued an emergency security update for its Chrome browser to address a critical zero-day vulnerability, identified as CVE-2025-5419, which is currently being actively exploited by malicious actors. This flaw allows attackers to execute arbitrary code on affected systems by exploiting out-of-bounds read and write operations within Chrome’s V8 JavaScript engine.
The vulnerability was discovered and reported by Clement Lecigne and BenoĆ®t Sevens from Google’s Threat Analysis Group on May 27, 2025. Out-of-bounds memory access issues, like those present in this case, are particularly dangerous as they can enable attackers to read sensitive information or inject malicious code into system memory.
In response to the severity of this threat, Google implemented emergency mitigation measures on May 28, 2025, deploying a configuration change across all Chrome platforms to protect users ahead of the full patch release. This swift action underscores the critical nature of the vulnerability and the immediate risk it poses to Chrome users worldwide.
The security update also addresses a second vulnerability, CVE-2025-5068, a medium-severity use-after-free flaw in Blink, Chrome’s rendering engine. This issue was reported by security researcher Walkman on April 7, 2025, and carries a $1,000 bounty reward. While less critical than the zero-day, use-after-free vulnerabilities can still lead to memory corruption and potential code execution.
Google has maintained its policy of restricting access to detailed vulnerability information until the majority of users have updated their browsers. This approach prevents malicious actors from reverse-engineering patches to develop new exploits while users remain on vulnerable versions.
The company credits its comprehensive security testing infrastructure for detecting many vulnerabilities before they reach stable releases. Google employs advanced tools, including AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL, to identify potential security issues during development.
Chrome users are strongly advised to update their browsers immediately to mitigate the risk associated with these vulnerabilities. To update, navigate to Settings > About Chrome, which will automatically download and install the latest version. Given the active exploitation of CVE-2025-5419, prompt action is essential. Users can verify their Chrome version matches 137.0.7151.68 or higher to ensure protection against these vulnerabilities.
Organizations should prioritize deploying this update across their networks to prevent potential compromise through malicious websites targeting the zero-day vulnerability.
