Google Chrome zero-day vulnerability is widely exploited, allowing arbitrary code execution

Google has urgently released a security update for Chrome after confirming that attackers are actively exploiting a critical zero-day vulnerability. The vulnerability, numbered CVE-2025-5419, allows attackers to execute arbitrary code on victims' systems through out-of-bounds read-write operations in Chrome's V8 JavaScript engine.

Google has pushed Chrome versions 137.0.7151.68/.69 to Windows and Mac users, and 137.0.7151.68 to Linux systems. The updates will be gradually rolled out globally over the next few days to weeks. Google explicitly stated that "exploit code for CVE-2025-5419 exists," classifying this as a high-priority security issue requiring immediate user action.

The vulnerability was discovered and reported on May 27, 2025, by Clement Lecigne and Benoît Sevens from Google's Threat Analysis Group (TAG). It stems from a memory corruption issue in V8, Chrome's JavaScript and WebAssembly engine responsible for processing code from websites and web applications.

Out-of-bounds memory access vulnerabilities are particularly dangerous, as they allow attackers to read sensitive data or write malicious code to system memory. Due to the threat's severity, Google implemented emergency mitigation measures on May 28, 2025, pushing configuration changes to all Chrome platforms to protect users before the full patch release.

This security update also addresses a second vulnerability, CVE-2025-5068, a use-after-free defect in Chrome's rendering engine Blink. Security researcher Walkman reported this medium-severity vulnerability on April 7, 2025, for which Google awarded a $1,000 bug bounty. While less severe than the zero-day, use-after-free vulnerabilities can still cause memory corruption and potential code execution.

Google adheres to a policy of restricting access to detailed vulnerability information until most users have updated their browsers. This prevents bad actors from reverse-engineering patches to develop new exploit code while users still use vulnerable versions. Google credits its comprehensive security testing infrastructure—employing advanced tools like AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL—for identifying most issues before they reach stable releases.

Chrome users should immediately update their browsers via "Settings > About Chrome," where the system will automatically download and install the latest version. Given the active exploitation of CVE-2025-5419, users are strongly advised to prioritize this update. They can check if their Chrome version is 137.0.7151.68 or higher to ensure protection. Enterprises should prioritize deploying this update across their networks to prevent intrusions via malicious websites targeting the zero-day vulnerability.

Source: https://www.freebuf.com/
Thanks to [Gy0un]