Google has issued an urgent out-of-band security update for Chrome users worldwide, addressing a critical zero-day vulnerability that cybercriminals are actively exploiting in real-world attacks. The emergency patch, released Monday, fixes three security flaws, with one posing an immediate threat to user safety.
The most serious vulnerability, designated CVE-2025-5419, carries a high CVSS severity score of 8.8 and represents what security experts call an "out-of-bounds read and write" flaw within Chrome's V8 JavaScript engine.
This technical terminology describes a dangerous condition where malicious code can access and manipulate computer memory beyond its intended boundaries, potentially leading to complete system compromise.
According to the National Vulnerability Database, this flaw "allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page."
In practical terms, this means cybercriminals can create specially designed web pages that, when visited by unsuspecting users, can execute malicious code on their computers without any user interaction beyond simply loading the page.
The vulnerability was discovered and reported on May 27 by researchers Clement Lecigne and Benoît Sevens from Google's own Threat Analysis Group. Demonstrating the severity of the situation, Google implemented a configuration change to address the issue within 24 hours of discovery, followed by a comprehensive patch release.
Active Exploitation Confirmed
Google has confirmed that "an exploit for CVE-2025-5419 exists in the wild," meaning cybercriminals are already using this vulnerability to attack real users. However, following standard security disclosure practices, Google has withheld specific details about the attack methods and perpetrators to prevent additional bad actors from exploiting the flaw while users update their browsers.
This marks the second actively exploited Chrome zero-day vulnerability patched this year, following CVE-2025-2783, which targeted organizations in Russia. The pattern suggests sophisticated threat actors are increasingly focusing on browser vulnerabilities as attack vectors.
Immediate Action Required
Chrome users must immediately update to version 137.0.7151.68/.69 for Windows and macOS, or version 137.0.7151.68 for Linux.
Users can check their version by accessing Chrome's menu and selecting "About Google Chrome," which will automatically check for and install available updates. Users of Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, should also apply security updates as they become available from their respective vendors.