Google has launched an emergency safety replace to repair the third Chrome zero-day vulnerability exploited in assaults because the begin of the yr.
“Google is conscious that an exploit for CVE-2025-5419 exists within the wild,” the corporate warned in a safety advisory printed on Monday.
This high-severity vulnerability is brought on by an out-of-bounds learn and write weak spot in Chrome’s V8 JavaScript engine, reported one week in the past by Clement Lecigne and Benoît Sevens of Google’s Risk Evaluation Group.
Google says the problem was mitigated someday later by a configuration change the corporate pushed to the Secure channel throughout all Chrome platforms.
On Monday, it additionally mounted the zero-day with the discharge of 137.0.7151.68/.69 for Home windows/Mac and 137.0.7151.68 for Linux, variations which are rolling out to customers within the Secure Desktop channel over the approaching weeks.
Whereas Chrome will robotically replace when new safety patches can be found, customers can pace up the method by going to the Chrome menu > Assist > About Google Chrome, letting the replace end, and clicking the ‘Relaunch’ button to put in it instantly.
Whereas Google has already confirmed that CVE-2025-5419 is being exploited within the wild, the corporate is not going to share further info concerning these assaults till extra customers have patched their browsers.
“Entry to bug particulars and hyperlinks could also be stored restricted till a majority of customers are up to date with a repair,” Google stated. “We may also retain restrictions if the bug exists in a 3rd celebration library that different tasks equally depend upon, however have not but mounted.”
That is Google’s third Chrome zero-day vulnerability because the begin of the yr, with two extra patched in March and Might.
The primary, a high-severity sandbox escape flaw (CVE-2025-2783) found by Kaspersky’s Boris Larin and Igor Kuznetsov, was used to deploy malware in espionage assaults focusing on Russian authorities organizations and media retailers.
The corporate launched one other set of emergency safety updates in Might to patch a Chrome zero-day that would let attackers take over accounts following profitable exploitation.
Final yr, Google patched 10 zero-days that had been both demoed throughout the Pwn2Own hacking competitors or exploited in assaults.
Guide patching is outdated. It is gradual, error-prone, and hard to scale.
Be part of Kandji + Tines on June 4 to see why outdated strategies fall brief. See real-world examples of how trendy groups use automation to patch quicker, minimize danger, keep compliant, and skip the advanced scripts.
