Google released an out-of-band security update for its Chrome browser, addressing three vulnerabilities, including a high-severity zero-day flaw that is being actively exploited in the wild.
The critical vulnerability, tracked as CVE-2025-5419 is described as an out-of-bounds read and write issue in Chrome’s V8 JavaScript and WebAssembly engine. The flaw could allow attackers to corrupt memory on the heap via specially crafted HTML pages, potentially leading to remote code execution. The bug affects Chrome versions prior to 137.0.7151.68.
"Google is aware that an exploit for CVE-2025-5419 exists in the wild," the company said in its advisory, though it withheld specifics about the attacks or the threat actors involved to prevent further exploitation.
This marks the second Chrome zero-day exploited in the wild this year, following CVE-2025-2783, which was previously used in attacks targeting entities in Russia.
Users are strongly advised to update to Chrome version 137.0.7151.68 or 137.0.7151.69 on Windows and macOS, and 137.0.7151.68 on Linux. Users of Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, should also apply the updates as soon as they become available.
