New Chrome Zero-Day Actively Exploited; Google Issues Emergency Out-of-Band Patch - The Hacker News

New Chrome Zero-Day Actively Exploited; Google Issues Emergency Out-of-Band Patch Ravie LakshmananJun 03, 2025Browser Security / Vulnerability Google on Monday released out-of-band fixes to address three security issues in its Chrome browser, including one that it said has come under active exploitation in the wild. The high-severity flaw is being tracked as CVE-2025-5419 (CVSS score: 8.8), and has been flagged as an out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine. "Out-of-bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page," reads the description of the bug on the NIST's National Vulnerability Database (NVD). Google credited Clement Lecigne and Benoît Sevens of Google Threat Analysis Group (TAG) with discovering and reporting the flaw on May 27, 2025. It also noted that the issue was addressed the next day by pushing out a configuration change to the Stable version of the browser across all platforms. As is customary, the advisory is light on details regarding the nature of the attacks leveraging the vulnerability or the identity of the threat actors perpetrating them. This is done so to ensure that a majority of users are updated with a fix and to prevent other bad actors from joining the exploitation bandwagon. "Google is aware that an exploit for CVE-2025-5419 exists in the wild," the tech giant acknowledged. CVE-2025-5419 is the second actively exploited zero-day to be patched by Google this year after CVE-2025-2783 (CVSS score: 8.3), which was identified by Kaspersky as being weaponized in attacks targeting organizations in Russia. Users are recommended to upgrade to Chrome version 137.0.7151.68/.69 for Windows and macOS, and version 137.0.7151.68 for Linux to safeguard against potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Brave, browser security, Chrome, cybersecurity, DevOps, Google, JavaScript, Malware, Microsoft Edge, Threat Intelligence, Vulnerability, WebAssembly, zero-day Trending News Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Load More ▼ Popular Resources Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Identity Controls Checklist: Find Missing Protections in Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026