Google Researchers Find New Chrome Zero-Day

Google Researchers Find New Chrome Zero-Day

Posted on By CWS

Google on Monday launched a recent Chrome 137 replace to deal with three vulnerabilities, together with a high-severity bug exploited within the wild.

Tracked as CVE-2025-5419, the zero-day is described as an out-of-bounds learn and write situation within the V8 JavaScript engine.

“Google is conscious that an exploit for CVE-2025-5419 exists within the wild,” the web big’s advisory reads. No additional particulars on the safety defect or the exploit have been supplied.

Nonetheless, the corporate credited Clement Lecigne and Benoît Sevens of Google Risk Evaluation Group (TAG) for reporting the difficulty.

TAG researchers beforehand reported a number of vulnerabilities exploited by business surveillance software program distributors, together with such bugs in Chrome. Flaws in Google’s browser are sometimes exploited by spyware and adware distributors and CVE-2025-5419 could possibly be no completely different.

In response to a NIST advisory, the exploited zero-day “allowed a distant attacker to doubtlessly exploit heap corruption through a crafted HTML web page”. It needs to be famous that the exploitation of out-of-bounds defects usually results in arbitrary code execution.

The newest browser replace additionally addresses CVE-2025-5068, a medium-severity use-after-free in Blink that earned the reporting researcher a $1,000 bug bounty. No reward will probably be handed out for the zero-day.

The newest Chrome iteration is now rolling out as model 137.0.7151.68/.69 for Home windows and macOS, and as model 137.0.7151.68 for Linux.Commercial. Scroll to proceed studying.

The patch for CVE-2025-5419 comes after a Chrome sandbox escape (CVE-2025-2783) exploited by a Russian state-sponsored group was caught and patched in March. Firefox too was patched in opposition to an analogous vulnerability.

In mid-Might, Google launched a Chrome 136 replace and warned that an exploit for one of many addressed bugs existed within the wild. The patch got here roughly one week after a safety researcher had launched info on the flaw on X.

Associated: Chrome 137, Firefox 139 Patch Excessive-Severity Vulnerabilities

Associated: Chrome to Mistrust Chunghwa Telecom and Netlock Certificates

Associated: Chrome 136 Replace Patches Vulnerability With ‘Exploit within the Wild’

Associated: Google Tracked 75 Zero-Days in 2024

Security Week News Tags:, , , ,

Related Posts

Chinese Spies Target Networking and Virtualization Flaws to Breach Isolated Environments Chinese Spies Target Networking and Virtualization Flaws to Breach Isolated Environments Security Week News
Google Agrees to .3 Billion Settlement in Texas Privacy Lawsuits Google Agrees to $1.3 Billion Settlement in Texas Privacy Lawsuits Security Week News
Chipmaker Patch Tuesday: Over 60 Vulnerabilities Patched by Intel Chipmaker Patch Tuesday: Over 60 Vulnerabilities Patched by Intel Security Week News
North Korea’s Fake Recruiters Feed Stolen Data to IT Workers North Korea’s Fake Recruiters Feed Stolen Data to IT Workers Security Week News
Mirai Botnets Exploiting Wazuh Security Platform Vulnerability  Mirai Botnets Exploiting Wazuh Security Platform Vulnerability  Security Week News
Vulnerability in Dolby Decoder Can Allow Zero-Click Attacks Vulnerability in Dolby Decoder Can Allow Zero-Click Attacks Security Week News