Full Report
Google on Monday released out-of-band fixes to address three security issues in its Chrome browser, including one that it said has come under active exploitation in the wild. The high-severity flaw is being tracked as CVE-2025-5419, and has been flagged as an out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine. "Out of bounds read and write in V8 in Google
Analysis Summary
# Vulnerability: Chrome V8 Engine Out-of-Bounds Read/Write Zero-Day
## CVE Details
- CVE ID: CVE-2025-5419
- CVSS Score: Not specified (Implied High/Critical due to active exploitation)
- CWE: Out-of-bounds Read/Write (Implicated by description)
## Affected Systems
- Products: Google Chrome
- Versions: Prior to 137.0.7151.68 (for Windows/macOS) and prior to 137.0.7151.68 (for Linux)
- Configurations: Any system running the vulnerable versions of Chrome installed. Chromium-based browsers are also advised to update.
## Vulnerability Description
The vulnerability is an Out-of-Bounds Read and Write flaw residing in the V8 JavaScript and WebAssembly engine within Google Chrome. A remote attacker can exploit this vulnerability by crafting a malicious HTML page. Successful exploitation could lead to heap corruption, potentially allowing the attacker to execute arbitrary code or cause a denial of service.
## Exploitation
- Status: Actively exploited in the wild
- Complexity: Unknown (but high impact, suggesting complexity is manageable by threat actors)
- Attack Vector: Network (via crafted HTML page)
## Impact
- Confidentiality: Potential
- Integrity: Potential (via heap corruption)
- Availability: Potential (via potential crashes/DoS)
*(Note: Specific impact levels were not detailed, but are inferred based on the nature of heap corruption in a browser engine.)*
## Remediation
### Patches
- Google Chrome version **137.0.7151.68** for Windows and macOS.
- Google Chrome version **137.0.7151.68** for Linux.
### Workarounds
- No specific workarounds were mentioned; immediate patching is highly recommended due to active exploitation.
## Detection
- **Indicators of Compromise:** Not detailed in the summary, but look for unusual process behavior stemming from Chrome or indicators of memory corruption exploits.
- **Detection methods and tools:** Utilize endpoint detection and response (EDR) tools capable of monitoring memory access violations or unusual V8 engine activity, though signature-based detection for this brand-new exploit might be lacking initially.
## References
- Vendor Advisory (Google Chrome Stable Channel Update): hxxps://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop.html
- NIST NVD Entry: hxxps://nvd.nist.gov/vuln/detail/CVE-2025-5419