Prime Highlights:

• A severe 0-day vulnerability in the V8 engine of Chrome is actively being exploited.
• Google released an out-of-cycle security update on June 3, 2025.

Key Facts:

• The bug (CVE-2025-5419) enables attackers to run arbitrary code by exploiting a memory corruption flaw.
• A Google Threat Analysis Group discovered the flaw, and the exploit was already being exploited prior to the patch.
• The fix impacts all platforms and users are asked to upgrade Chrome to version 137.0.7151.68 or newer.

Key Background

Google acted in June 2025 to mitigate a severe security vulnerability by issuing an emergency patch for its Chrome web browser. The problem, CVE-2025-5419, is a high-priority zero-day flaw in Chrome’s V8 JavaScript and WebAssembly engine. The vulnerability results from an out-of-bounds memory access flaw, making it possible for attackers to corrupt the heap memory of a browser. This results in the execution of arbitrary code, effectively giving attackers control over a user’s system via malicious web content.

The bug was found by Google’s Threat Analysis Group’s Clement Lecigne and Benoît Sevens on May 27, 2025. It was established to be exploited in the wild prior to the release of any fix. Google rolled out internal mitigation measures within a day of discovery and then a stable patch for everybody on June 3, 2025. The new versions are 137.0.7151.68 for Linux and 137.0.7151.68/.69 for Windows and macOS users.

This marks the second zero-day Chrome has faced in 2025, showing a pattern of increasing sophistication in web-based attacks. Prior zero-day flaws earlier in the year also targeted memory issues, reinforcing the importance of memory safety in browser architecture. To help catch such bugs earlier, Google uses tools like AddressSanitizer and MemorySanitizer, though attackers continue to find ways to bypass these defenses.

Besides the primary vulnerability, Google also fixed a secondary issue rated medium severity on Blink, the rendering engine for Chrome. Although not actively exploited, it was patched ahead of time as part of the same update cycle.

The U.S. Cybersecurity and Infrastructure Security Agency has also marked the flaw as a known exploited vulnerability, calling on all private and government organizations to apply the update in a timely manner. Since Chrome is widely used, particularly by enterprises and individuals dealing with sensitive information, updating to the newest version is paramount.

Users would need to visit Chrome Settings → About Chrome and check if they are running version 137.0.7151.68 or later. Similar Chromium-based browsers such as Edge and Brave are also likely to release patches based on this patch.