Google has launched an emergency security replace to repair the third Chrome zero-day vulnerability exploited in assaults for the reason that begin of the 12 months.
“Google is conscious that an exploit for CVE-2025-5419 exists within the wild,” the corporate warned in a security advisory printed on Monday.
This high-severity vulnerability is brought on by an out-of-bounds learn and write weak spot in Chrome’s V8 JavaScript engine, reported one week in the past by Clement Lecigne and Benoît Sevens of Google’s Menace Evaluation Group.
Google says the difficulty was mitigated someday later by a configuration change the corporate pushed to the Steady channel throughout all Chrome platforms.
On Monday, it additionally mounted the zero-day with the discharge of 137.0.7151.68/.69 for Home windows/Mac and 137.0.7151.68 for Linux, variations which might be rolling out to customers within the Steady Desktop channel over the approaching weeks.
Whereas Chrome will mechanically replace when new security patches can be found, customers can pace up the method by going to the Chrome menu > Assist > About Google Chrome, letting the replace end, and clicking the ‘Relaunch’ button to put in it instantly.
Whereas Google has already confirmed that CVE-2025-5419 is being exploited within the wild, the corporate is not going to share extra data concerning these assaults till extra customers have patched their browsers.
“Entry to bug particulars and hyperlinks could also be stored restricted till a majority of customers are up to date with a repair,” Google stated. “We may even retain restrictions if the bug exists in a 3rd social gathering library that different initiatives equally rely on, however have not but mounted.”
That is Google’s third Chrome zero-day vulnerability for the reason that begin of the 12 months, with two extra patched in March and Could.
The primary, a high-severity sandbox escape flaw (CVE-2025-2783) found by Kaspersky’s Boris Larin and Igor Kuznetsov, was used to deploy malware in espionage assaults concentrating on Russian authorities organizations and media shops.
The corporate launched one other set of emergency security updates in Could to patch a Chrome zero-day that might let attackers take over accounts following profitable exploitation.
Final 12 months, Google patched 10 zero-days that have been both demoed throughout the Pwn2Own hacking competitors or exploited in assaults.
Handbook patching is outdated. It is gradual, error-prone, and hard to scale.
Be part of Kandji + Tines on June 4 to see why previous strategies fall quick. See real-world examples of how fashionable groups use automation to patch sooner, lower threat, keep compliant, and skip the complicated scripts.
