Google fixed the second actively exploited Chrome zero-day since the start of the year
Google addressed three vulnerabilities in its Chrome browser, including one that it actively exploited in attacks in the wild. Google released out-of-band updates to address three vulnerabilities in its Chrome browser, including one, tracked as CVE-2025-5419, that is actively exploited in the wild. The vulnerability is an out-of-bounds read and write in the V8 JavaScript […]
Google addressed three vulnerabilities in its Chrome browser, including one that it actively exploited in attacks in the wild.
Google released out-of-band updates to address three vulnerabilities in its Chrome browser, including one, tracked as CVE-2025-5419, that is actively exploited in the wild.
The vulnerability is an out-of-bounds read and write in the V8 JavaScript engine in Google Chrome prior. An attacker can exploit the flaw to trigger a heap corruption via a crafted HTML page.
Clement Lecigne and Benoît Sevens of Google Threat Analysis Group reported the vulnerability on May 27, 2025. The IT giant addressed the issue the day after, on May 28, 2025, with a configuration update applied to all Chrome Stable platforms.
“Google is aware that an exploit for CVE-2025-5419 exists in the wild.” reads the advisory.
Chrome Stable is updated to version 137.0.7151.68/.69 for Windows and Mac, and 137.0.7151.68 for Linux, rolling out in the coming days.
As usual, the company did not disclose technical details about the attack that exploited this issue.
Google also addressed a medium-severity flaw, tracked as CVE-2025-5068, which is a use-after-free issue in the Blink rendering engine. Walkman reported the flaw on April 7, 2025.
In March 2025, Google released other out-of-band fixes to address the first actively exploited Chrome zero-day since the start of the year. The flaw is a high-severity security vulnerability, tracked as CVE-2025-2783, in the Chrome browser for Windows.
The vulnerability is an incorrect handle provided in unspecified circumstances in Mojo on Windows. Kaspersky researchers Boris Larin (@oct0xor) and Igor Kuznetsov (@2igosha) reported the vulnerability on March 20, 2025. Kaspersky researchers reported that the flaw was actively exploited in attacks targeting organizations in Russia.
Mojo is Google’s IPC library for Chromium-based browsers, managing sandboxed processes for secure communication. On Windows, it enhances Chrome’s security, but past vulnerabilities have enabled sandbox escapes and privilege escalation.
Google did not share details about the attacks that exploited this vulnerability or the identity of the threat actors behind them.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Chrome browser)
