Google Patches New Chrome Zero-Day Bug Exploited in Attacks
Google has released an emergency security update to fix the third Chrome zero-day vulnerability exploited in attacks since the start of the year. The high-severity vulnerability, caused by an out-of-bounds read and write weakness in Chrome's V8 JavaScript engine, was reported by Google's Threat Analysis Group just one week ago.
"Google is aware that an exploit for CVE-2025-5419 exists in the wild," the company warned in a security advisory published on Monday. This warning comes as Google takes proactive steps to address the vulnerability and protect its users from potential attacks.
Background on the Vulnerability
The CVE-2025-5419 vulnerability is a result of an out-of-bounds read and write weakness in Chrome's V8 JavaScript engine. According to Google, this issue was discovered by Clement Lecigne and Benoît Sevens, members of Google's Threat Analysis Group.
Google's Response
In response to the discovery of this vulnerability, Google pushed a configuration change to the Stable channel across all Chrome platforms, which mitigated the issue just one day later. However, it took another update – version 137.0.7151.68/.69 for Windows/Mac and Linux – to fully fix the zero-day vulnerability.
These updates are now rolling out to users in the Stable Desktop channel over the coming weeks. Chrome will automatically update when new security patches are available, but users can speed up the process by going through the browser's menu, clicking 'Help,' then 'About Google Chrome,' allowing the update to finish and then clicking 'Relaunch' to install it immediately.
Exploitation in the Wild
Google has confirmed that CVE-2025-5419 is being exploited in the wild. While details regarding these attacks are limited due to security considerations, Google will not share additional information until more users have patched their browsers with a fix.
"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said. "We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven't yet fixed." This measure aims to limit further attacks while more users patch their browsers.
Recent Zero-Day Vulnerabilities
This is Google's third Chrome zero-day vulnerability since the start of the year. Two more vulnerabilities were patched in March and May – a high-severity sandbox escape flaw (CVE-2025-2783) discovered by Kaspersky's Boris Larin and Igor Kuznetsov, which was used to deploy malware in espionage attacks targeting Russian government organizations and media outlets.
Another Chrome zero-day was fixed in May, which could let attackers take over accounts following successful exploitation. In total, Google patched 10 zero-days last year that were either demoed during the Pwn2Own hacking competition or exploited in attacks.
The Need for Modern Patch Management
Manual patch management is an outdated approach to security updates. It's slow, error-prone, and difficult to scale. As cybersecurity threats continue to evolve, modern teams require automation-based solutions to keep their browsers up-to-date quickly and efficiently.
Join Kandji + Tines on June 4 to see why old methods fall short. See real-world examples of how modern teams use automation to patch faster, cut risk, stay compliant, and skip the complex scripts. The future of cybersecurity requires proactive and efficient strategies – it's time for IT teams to adopt a more streamlined approach.