Out of Bounds Read and Write Vulnerability in Google Chrome
CVE-2025-5419
Key Information:
Badges
What is CVE-2025-5419?
CVE-2025-5419 is a high-severity vulnerability identified in Google Chrome, specifically affecting the V8 JavaScript engine prior to version 137.0.7151.68. This vulnerability relates to out-of-bounds read and write operations, which can lead to heap corruption when a maliciously crafted HTML page is rendered by the browser. The existence of this vulnerability poses serious risks to organizations utilizing Google Chrome, as it can potentially allow remote attackers to execute arbitrary code on affected systems. The repercussions can extend beyond individual devices, as compromised systems can be exploited for broader attacks within an organization’s network and impact the confidentiality, integrity, and availability of sensitive data and resources.
Potential impact of CVE-2025-5419
-
Unauthorized Access and Control: An attacker exploiting this vulnerability may gain unauthorized control over an affected system, allowing them to execute malicious operations without the user’s consent. This can lead to unauthorized data access and compromise sensitive information.
-
Data Breaches: The ability to manipulate heap memory could enable attackers to exfiltrate confidential data, potentially leading to significant data breaches. Organizations might face reputational damage, legal consequences, and financial liabilities as a result.
-
Widespread Network Compromise: Given that Google Chrome is extensively used across organizations, exploitation of this vulnerability can facilitate lateral movement within a network. Once an attacker breaches one machine, they may easily propagate their attack across connected devices, increasing the severity and scale of the incident.
CISA has reported CVE-2025-5419
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-5419 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Chrome 137.0.7151.68
News Articles

Google Issues Emergency Update For All 3 Billion Chrome Users
Update now warning for all users, with attacks confirmed underway.
3 weeks ago
Emergency Chrome Update! One Click Could Save Your Personal Data
A newly discovered critical vulnerability in Google Chrome—CVE-2025-5419—has put an estimated 3 billion users at significant risk of cyberattacks. Google has issued an emergency update to fix the flaw, but experts warn that threat actors have already begun exploiting it in the wild. Another severe b...
3 weeks ago
Google fixes Chrome zero-day with in-the-wild exploit (CVE-2025-5419) - Help Net Security
Google has fixed two Chrome vulnerabilities, including a zero-day flaw (CVE-2025-5419) with an in-the-wild exploit.
3 weeks ago
References
CVSS V3.1
Timeline
- 🥇
Vulnerability reached the number 1 worldwide trending spot
- 💰
Used in Ransomware
- 🦅
CISA Reported
- 📈
Vulnerability started trending
- 👾
Exploit known to exist
- 📰
First article discovered by SecurityWeek
Vulnerability published
Vulnerability Reserved