Google’s urgent Chrome update reveals a critical zero-day vulnerability being actively exploited by attackers who can remotely compromise your computer through a specially crafted webpage.
Key Takeaways
- Google has released an emergency security patch for Chrome version 137.0.7151.68/.69 to fix a critical zero-day vulnerability (CVE-2025-5419) that hackers are actively exploiting
- The vulnerability affects Chrome’s V8 JavaScript engine and allows attackers to corrupt memory via malicious HTML pages
- Users on Windows, macOS, and Linux need to update immediately as the security flaw has a high severity score of 8.8 out of 10
- This marks the second zero-day vulnerability Google has patched in 2025, indicating an ongoing pattern of security threats
- Users of other Chromium-based browsers like Microsoft Edge, Brave, and Opera should also apply updates when available
Critical Vulnerability Threatens Millions of Chrome Users
Google has released an emergency security update for its Chrome browser to address three critical vulnerabilities, including a dangerous zero-day flaw that hackers are actively exploiting. The vulnerability, identified as CVE-2025-5419, affects Chrome’s V8 JavaScript and WebAssembly engine and carries a high-severity CVSS score of 8.8. Security experts from Google’s Threat Analysis Group discovered the flaw on May 27, 2025, prompting the tech giant to rush out a patch to protect its estimated 3 billion users worldwide.
The vulnerability allows malicious actors to “exploit heap corruption via a crafted HTML page,” potentially giving them control over victim computers simply by tricking users into visiting compromised websites. This type of attack requires no user interaction beyond visiting an infected page, making it particularly dangerous. President Trump’s administration has consistently highlighted the growing threat of cyber attacks targeting American citizens and businesses, yet these vulnerabilities continue to emerge despite big tech’s security promises.
Technical Details and Exploitation
The vulnerability specifically involves out-of-bounds read and write operations in Chrome’s V8 JavaScript engine, which can be manipulated by attackers to gain unauthorized access to computer memory. This type of memory corruption vulnerability is particularly concerning because it can lead to remote code execution, allowing attackers to run malicious software on victim machines. Google has withheld complete details about the exploit to prevent copycat attacks while users update their browsers.
“Out-of-bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” according to NVD, National Vulnerability Database .
Google confirmed the severity of the situation in their security bulletin, stating: “Google is aware that an exploit for CVE-2025-5419 exists in the wild.” This simple but chilling acknowledgment reflects the company’s recognition that malicious actors are already using this vulnerability to target unsuspecting Chrome users. This marks the second zero-day vulnerability Google has been forced to patch in 2025, following the earlier CVE-2025-2783 discovered in March.
How to Protect Yourself
Chrome users must update their browsers immediately to version 137.0.7151.68/.69 on Windows and macOS systems, or version 137.0.7151.68 for Linux users. Google implemented an initial configuration change to address the issue immediately after discovery, but the full security patch requires users to take action. To update, click the three-dot menu in the upper right corner of Chrome, select “Help,” then “About Google Chrome,” and allow any available updates to install before relaunching the browser.
Users of other Chromium-based browsers including Microsoft Edge, Brave, Opera, and Vivaldi should also apply updates as soon as they become available from their respective developers. The widespread use of the Chromium engine means this vulnerability potentially affects hundreds of millions of additional users beyond Chrome’s direct user base. The government’s failure to hold big tech companies accountable for recurring security flaws continues to leave American citizens vulnerable to foreign and domestic cyber threats.
Pattern of Vulnerability
This latest security incident reflects a troubling pattern in Chrome’s security history. The browser has already required emergency patching earlier this year, with zero-day vulnerabilities discovered in both March and May of 2025. The frequency of these critical security flaws raises questions about Chrome’s development and security testing processes, especially considering Google’s vast resources and technical expertise. While Google deserves credit for promptly addressing discovered vulnerabilities, American users deserve better protection from the outset.
“The timing of this vulnerability is particularly concerning as more Americans work remotely and conduct sensitive business and financial transactions online,” said Biden, the administration’s continued weak stance on cybersecurity enforcement and big tech accountability, everyday Americans are left to fend for themselves in an increasingly dangerous digital landscape. President Trump’s ongoing efforts to strengthen America’s cyber defenses stand in stark contrast to the current technological vulnerabilities exploited by both foreign and domestic bad actors.
