Jump to content
  • Google patches new Chrome zero-day bug exploited in attacks


    Karlston

    • 204 views
    • 3 minutes
     Share


    • 204 views
    • 3 minutes

    Google has released an emergency security update to fix the third Chrome zero-day vulnerability exploited in attacks since the start of the year.

     

    "Google is aware that an exploit for CVE-2025-5419 exists in the wild," the company warned in a security advisory published on Monday.

     

    This high-severity vulnerability is caused by an out-of-bounds read and write weakness in Chrome's V8 JavaScript engine, reported one week ago by Clement Lecigne and Benoît Sevens of Google's Threat Analysis Group.

     

    Google says the issue was mitigated one day later by a configuration change the company pushed to the Stable channel across all Chrome platforms.

     

    On Monday, it also fixed the zero-day with the release of 137.0.7151.68/.69 for Windows/Mac and 137.0.7151.68 for Linux, versions that are rolling out to users in the Stable Desktop channel over the coming weeks.

     

    While Chrome will automatically update when new security patches are available, users can speed up the process by going to the Chrome menu > Help > About Google Chrome, letting the update finish, and clicking the 'Relaunch' button to install it immediately.

     

    Chrome 137.0.7151.69

     

    While Google has already confirmed that CVE-2025-5419 is being exploited in the wild, the company will not share additional information regarding these attacks until more users have patched their browsers.

     

    "Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed."

     

    This is Google's third Chrome zero-day vulnerability since the start of the year, with two more patched in March and May.

     

    The first, a high-severity sandbox escape flaw (CVE-2025-2783) discovered by Kaspersky's Boris Larin and Igor Kuznetsov, was used to deploy malware in espionage attacks targeting Russian government organizations and media outlets.

     

    The company released another set of emergency security updates in May to patch a Chrome zero-day that could let attackers take over accounts following successful exploitation.

     

    Last year, Google patched 10 zero-days that were either demoed during the Pwn2Own hacking competition or exploited in attacks.

     

    Source


    Hope you enjoyed this news post.

    Thank you for appreciating my time and effort posting news every day for many years.

    News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

    RIP Matrix | Farewell my friend  


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...