Full Report
Google has issued a security update for Chrome desktop to address CVE-2025-5419, which has a CVSS score of 8.8. It is a critical zero-day flaw in the V8 JavaScript engine that is actively exploited by attackers.
Analysis Summary
# Vulnerability: Actively Exploited Zero-Day in Chrome V8 JavaScript Engine
## CVE Details
- CVE ID: CVE-2025-5419
- CVSS Score: 8.8 (High)
- CWE: Out-of-bounds Read/Write (Inferred from description)
## Affected Systems
- Products: Google Chrome (Desktop)
- Versions: Prior to the patched versions listed below.
- Configurations: Any system running the vulnerable version of Chrome.
## Vulnerability Description
CVE-2025-5419 is a critical zero-day vulnerability residing within the V8 JavaScript and WebAssembly engine of Google Chrome. It is described as an out-of-bounds read and write issue. Successful exploitation through a maliciously crafted HTML page can lead to heap corruption, potentially allowing remote attackers to achieve arbitrary code execution within the context of the user's browser session.
## Exploitation
- Status: Exploited in the wild (Actively targeted by attackers)
- Complexity: Not explicitly stated, but high-severity zero-days often imply low to medium complexity for successful exploitation if public write-ups are withheld.
- Attack Vector: Network (via user visiting a malicious webpage)
## Impact
- Confidentiality: High (Potential for reading memory or user data)
- Integrity: High (Potential for executing arbitrary code)
- Availability: Medium (Crash/denial of service possible, overshadowed by RCE risk)
## Remediation
### Patches
Google released fixes specifically for the V8 engine flaw:
- Chrome Desktop (Windows/macOS): Update to version **137.0.7151.68** or **137.0.7151.69**.
- Chrome Desktop (Linux): Update to version **137.0.7151.68**.
- **Crucially**: Update other Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, to their respective vendor-supplied patches.
### Workarounds
- No specific workarounds were provided in the advisory, but as this is an actively exploited zero-day, immediate patching is the primary defense. Temporarily restricting web browsing or isolating affected users until patching is complete serves as an emergency measure.
## Detection
- Indicators of compromise (IoCs) are not detailed, but monitoring for unusual process behavior originating from the Chrome renderer or V8 process following web navigation is recommended.
- Detection methods should focus on ensuring browser versions match the latest secure releases.
## References
- [cyberinsider.com/google-patches-actively-exploited-zero-day-in-chromes-v8-engine/](https://cyberinsider.com/google-patches-actively-exploited-zero-day-in-chromes-v8-engine/)
- [securityweek.com/google-researchers-find-new-chrome-zero-day/](https://www.securityweek.com/google-researchers-find-new-chrome-zero-day/)
- [thehackernews.com/2025/06/new-chrome-zero-day-actively-exploited.html](https://thehackernews.com/2025/06/new-chrome-zero-day-actively-exploited.html)