Article Details

Google quietly pushes emergency fix for Chrome 0-day as exploit runs wild. TAG team spotted the V8 bug first, so you can bet nation-states weren’t far behind. Google revealed Monday that it had quietly deployed a configuration change last week to block active exploitation of a Chrome zero-day. Google Threat Analysis Group (TAG) team members Clement Lecigne and Benoît Sevens spotted the high-severity bug, tracked as CVE-2025-5419, on May 27. It's an out-of-bounds read and write vulnerability in Chrome's V8 JavaScript engine that could allow a remote attacker to corrupt memory and potentially hijack execution via a booby-trapped HTML page. Attackers could use the exploit to expose sensitive data and/or execute arbitrary code and crash the user's machine "Google is aware that an exploit for CVE-2025-5419 exists in the wild," the advisory said, adding that "the issue was mitigated" the day after Lecigne and Sevens found the bug "by a configuration change pushed out to Stable across all Chrome platforms." While we don't have any details about who is exploiting the security hole and for what purpose, the TAG team closely tracks spyware and nation-state gangs abusing zero days for espionage purposes.  As per usual, the Chocolate Factory keeps a tight lid on bug details until most of its users have updated their software with a fix. That patch landed on Monday with the release of Chrome 137.0.7151.68 and .69 for Windows and macOS, and 137.0.7151.68 for Linux, rolling out over the coming days and weeks. The Monday Chrome update also patches a medium-severity, use-after-free flaw (CVE-2025-5068) in the open-source rendering engine Blink. It's the latest in a growing parade of zero-days. Back in March, Google pushed an emergency patch to fix zero-day in Chrome that was seemingly used to spy on Russian government agencies, journalists, and academics. That one, tracked as CVE-2025-2783, allowed remote snoops to escape Chrome's sandbox via a malicious file. Kaspersky researchers found the March flaw being used in a phishing campaign targeting Russian victims using phony event invite lures.  "The vulnerability CVE-2025-2783 really left us scratching our heads, as, without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome's sandbox protection as if it didn't even exist," wrote Kaspersky researchers Igor Kuznetsov and Boris Larin. Then in May, Google issued another emergency security update to fix another Chrome zero-day, insufficient policy enforcement in Loader, tracked as CVE-2025-4664. This one could be exploited by a remote attacker to bypass security policies in Chrome's Loader, allowing unauthorized code execution or sandbox escape.  The US Cybersecurity and Infrastructure Security Agency added CVE-2025-4664 to its catalog of Known Exploited Vulnerabilities shortly after.