Google patches third zero-day flaw in Chrome this year

The Google Chrome team issued an update to fix a high-severity vulnerability that is being actively exploited in the wild. The issue was also mitigated by a configuration change pushed out last Thursday to users of the stable Chrome version, which didn’t require a browser update.

Google Chrome exploits are highly valuable commodities on the black and gray markets with prices reaching hundreds of thousands of dollars. That’s because Chrome is one of the most hardened browsers and it uses process sandboxes to add additional hurdles to attackers. Bypassing all those defenses and achieving remote code execution on a system through Chrome usually requires chaining multiple vulnerabilities together.

[ See also: “Top 7 zero-day exploitation trends of 2024” ]

Third Chrome zero-day this year

That said, CVE-2025-5419, which was patched Monday in Chrome 137.0.7151.68/.69 for Windows and Mac and 137.0.7151.68 for Linux, is the third zero-day flaw fixed in Chrome this year. The other two, CVE-2025-2783 and CVE-2025-4664, were fixed in March and May, respectively. This highlights the elevated interest that hackers have in compromising Chrome users, despite the difficulty.

The new flaw was reported to the Chrome team by members of Google’s Threat Analysis Group, which is primarily responsible for defending Google infrastructure and users against government-backed attacks. This suggests the vulnerability was likely discovered in the wild, though details haven’t been released yet.

The vulnerability is rated as high severity, which indicates it can’t lead to remote code execution on the underlying OS on its own and likely must be combined with another flaw to do so. Otherwise, the flaw would have been rated critical.

Vulnerability in the JavaScript engine

The Chrome team described the vulnerability as an out of bounds memory read and write in V8, which is Chrome’s JavaScript and WebAssembly engine. The open-source V8 engine is used in other projects as well, including the Node.js runtime. Because the engine is designed to interpret and execute JavaScript and WebAssembly code, the vulnerability can likely be triggered remotely by users simply visiting web pages that load maliciously crafted code.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said in its advisory. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”

Aside from CVE-2025-5419, the new Chrome update also fixes a medium-severity use-after-free memory bug in Blink, the browser’s rendering engine. This vulnerability was privately reported by a researcher who received a $1,000 bounty for it.

The Chrome browser has an automatic update mechanism, but users who haven’t received it yet and want to prompt the update manually can access the Help > About Google Chrome menu to trigger an update check.