Google has released an emergency security update to fix the third Chrome zero-day vulnerability exploited in attacks since the start of the year.
“Google is aware that an exploit for CVE-2025-5419 exists in the wild,” the company warned in a security advisory published on Monday.
This high-severity vulnerability is caused by an out-of-bounds read and write weakness in Chrome’s V8 JavaScript engine, reported one week ago by Clement Lecigne and Benoît Sevens of Google’s Threat Analysis Group.
Google says the issue was mitigated one day later by a configuration change the company pushed to the Stable channel across all Chrome platforms.
On Monday, it also fixed the zero-day with the release of 137.0.7151.68/.69 for Windows/Mac and 137.0.7151.68 for Linux, versions that are rolling out to users in the Stable Desktop channel over the coming weeks.
While Chrome will automatically update when new security patches are available, users can speed up the process by going to the Chrome menu > Help > About Google Chrome, letting the update finish, and clicking the ‘Relaunch’ button to install it immediately.
While Google has already confirmed that CVE-2025-5419 is being exploited in the wild, the company will not share additional information regarding these attacks until more users have patched their browsers.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
This is Google’s third Chrome zero-day vulnerability since the start of the year, with two more patched in March and May.
The first, a high-severity sandbox escape flaw (CVE-2025-2783) discovered by Kaspersky’s Boris Larin and Igor Kuznetsov, was used to deploy malware in espionage attacks targeting Russian government organizations and media outlets.
The company released another set of emergency security updates in May to patch a Chrome zero-day that could let attackers take over accounts following successful exploitation.
Last year, Google patched 10 zero-days that were either demoed during the Pwn2Own hacking competition or exploited in attacks.
Manual patching is outdated. It’s slow, error-prone, and tough to scale.
Join Kandji + Tines on June 4 to see why old methods fall short. See real-world examples of how modern teams use automation to patch faster, cut risk, stay compliant, and skip the complex scripts.
