Cyber attackers are actively exploiting a critical vulnerability in Google Chrome right now, putting over 2 billion users at risk of having their systems compromised through malicious websites.
Key Takeaways
- Google has released an emergency patch for Chrome version 137.0.7151.68/.69 to fix three security vulnerabilities, including a zero-day flaw being actively exploited
- The critical vulnerability (CVE-2025-5419) affects Chrome’s V8 JavaScript engine with a high-severity CVSS score of 8.8
- Hackers can exploit this flaw to corrupt system memory and potentially take control of your device through specially crafted malicious websites
- This is the second zero-day vulnerability Google has patched in 2025, indicating a concerning trend in browser security threats
- Users of all Chromium-based browsers (Chrome, Edge, Brave, Opera, Vivaldi) should update immediately
Critical Chrome Zero-Day Under Active Attack
Google’s emergency security update released this week addresses a critical zero-day vulnerability that hackers are already exploiting in the wild. The vulnerability, tracked as CVE-2025-5419, received a high-severity CVSS score of 8.8, indicating its serious nature. This flaw affects Chrome’s V8 JavaScript engine—the core component that processes JavaScript code on websites—allowing attackers to exploit heap corruption via specially crafted HTML pages. When a Chrome user visits a malicious or compromised website, this vulnerability could potentially allow attackers to execute arbitrary code, steal sensitive information, or even take control of the affected system.
The vulnerability was discovered on May 27 by Clement Lecigne and Benoît Sevens from Google’s Threat Analysis Group, who promptly reported it to Google’s security team. The rapid response highlights the severity of the threat, with Google pushing a configuration change to the Stable version of Chrome within a day of discovery, followed by this complete patch. The company has deliberately limited public information about the specifics of ongoing attacks to prevent further exploitation, allowing time for more users to update their browsers before attack techniques become widely known in hacker communities.
Technical Details and Impact
According to security researchers, the vulnerability stems from memory handling issues in Chrome’s V8 JavaScript engine. The National Vulnerability Database describes the flaw as an “out-of-bounds read and write” vulnerability, which effectively means the browser can be tricked into accessing memory locations it shouldn’t have permission to interact with. This type of vulnerability is particularly dangerous as it bypasses normal security controls built into modern browsers and operating systems, potentially giving attackers privileged access to your computer’s resources.
“Out-of-bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” said NVD, NIST’s National Vulnerability Database.
What makes this vulnerability particularly concerning is that it requires minimal user interaction to exploit. Simply visiting a malicious website is enough to trigger the vulnerability—no additional downloads or permissions needed. The exploit can also be injected into legitimate websites through various means, such as compromised third-party advertisements or supply chain attacks targeting web development resources. This is the second zero-day vulnerability Google has had to patch in 2025, following CVE-2025-2783 earlier this year, suggesting a worrying trend in browser security threats.
How to Protect Yourself
Immediate action is required to protect your devices from this active threat. For Windows and macOS users, update to Chrome version 137.0.7151.68 or 137.0.7151.69. Linux users should update to version 137.0.7151.68. To check your current Chrome version and update if necessary, click the three dots in the upper right corner of Chrome, select “Help,” then “About Google Chrome.” The browser will automatically check for updates and prompt you to restart when the update is complete. This process takes just a few minutes but provides critical protection against this actively exploited vulnerability.
“Google is aware that an exploit for CVE-2025-5419 exists in the wild,” said Google.
The threat extends beyond just Google Chrome users. Since Chrome’s V8 engine is used in many other popular browsers based on the Chromium project, users of Microsoft Edge, Brave, Opera, and Vivaldi should also ensure their browsers are updated with the latest security patches. Most of these browsers update automatically but may require a restart to apply the latest security fixes. Government agencies and businesses using Chrome should prioritize this update across their organizations, as these entities are often high-value targets for sophisticated cyber attacks leveraging zero-day vulnerabilities like this one.
The Bigger Picture
This latest security incident underscores the ongoing cyber war being waged against American technology users and businesses. While the Biden-Harris administration continues to focus on issues like climate change and DEI initiatives, critical cybersecurity threats continue to multiply, putting our national and economic security at risk. Google’s Threat Analysis Group has found that state-sponsored hackers, often from adversarial nations like China, Russia, and Iran, frequently target zero-day vulnerabilities to conduct espionage and information warfare campaigns against the United States and its allies.
The increasing frequency of these critical browser vulnerabilities raises serious questions about the security of our digital infrastructure. American technology companies are being forced to play an endless game of security whack-a-mole while foreign adversaries enjoy the advantage of surprise attacks. This latest Chrome vulnerability serves as yet another wake-up call about the importance of cybersecurity in our increasingly connected world. President Trump’s administration has consistently emphasized the need for stronger cyber defenses and holding hostile foreign actors accountable for their digital attacks against American interests.
