Google on Monday launched a recent Chrome 137 replace to deal with three vulnerabilities, together with a high-severity bug exploited within the wild.
Tracked as CVE-2025-5419, the zero-day is described as an out-of-bounds learn and write situation within the V8 JavaScript engine.
“Google is conscious that an exploit for CVE-2025-5419 exists within the wild,” the web big’s advisory reads. No additional particulars on the safety defect or the exploit have been supplied.
Nonetheless, the corporate credited Clement Lecigne and Benoît Sevens of Google Risk Evaluation Group (TAG) for reporting the difficulty.
TAG researchers beforehand reported a number of vulnerabilities exploited by business surveillance software program distributors, together with such bugs in Chrome. Flaws in Google’s browser are sometimes exploited by spyware and adware distributors and CVE-2025-5419 could possibly be no completely different.
In response to a NIST advisory, the exploited zero-day “allowed a distant attacker to doubtlessly exploit heap corruption through a crafted HTML web page”. It needs to be famous that the exploitation of out-of-bounds defects usually results in arbitrary code execution.
The newest browser replace additionally addresses CVE-2025-5068, a medium-severity use-after-free in Blink that earned the reporting researcher a $1,000 bug bounty. No reward will probably be handed out for the zero-day.
The newest Chrome iteration is now rolling out as model 137.0.7151.68/.69 for Home windows and macOS, and as model 137.0.7151.68 for Linux.Commercial. Scroll to proceed studying.
The patch for CVE-2025-5419 comes after a Chrome sandbox escape (CVE-2025-2783) exploited by a Russian state-sponsored group was caught and patched in March. Firefox too was patched in opposition to an analogous vulnerability.
In mid-Might, Google launched a Chrome 136 replace and warned that an exploit for one of many addressed bugs existed within the wild. The patch got here roughly one week after a safety researcher had launched info on the flaw on X.
Associated: Chrome 137, Firefox 139 Patch Excessive-Severity Vulnerabilities
Associated: Chrome to Mistrust Chunghwa Telecom and Netlock Certificates
Associated: Chrome 136 Replace Patches Vulnerability With ‘Exploit within the Wild’
Associated: Google Tracked 75 Zero-Days in 2024
