Thought Leadership
Google has released an urgent security update for its Chrome browser. The reason for this is a newly exploited vulnerability that is already being actively used by attackers.
This is the third so-called zero-day vulnerability that has been discovered and fixed this year.
Vulnerability in JavaScript module V8
The current vulnerability with the identifier CVE-2025-5419 affects the JavaScript module V8, which is responsible for the execution of scripts in Chrome. The vulnerability allows attackers to potentially execute arbitrary code through incorrect memory access (out-of-bounds read/write).
The vulnerability was discovered by security researchers from Google’s Threat Analysis Team. According to Google, a technical countermeasure was implemented shortly after the report by changing the configuration in the stable branch of the browser.
Update for all platforms already distributed
Chrome version 137.0.7151.68/.69 for Windows and macOS and 137.0.7151.68 for Linux have now been released as a final fix. The update will be automatically distributed to all users in the coming days and weeks. If you want to be on the safe side, you should initiate the update manually:
Menu → Help → About Google Chrome → Complete update → Click “Restart”.
Details deliberately withheld
Google is currently withholding technical details about the vulnerability – a common step in the case of actively exploited vulnerabilities. The background to this is that attackers could cause further damage by publishing details too early. The company only intends to provide further information once the majority of users are using the patched version.
Already third critical gap in 2025
The gap that has now been closed is one of a series of zero-day vulnerabilities that have affected Chrome this year alone:
- March 2025: A sandbox escape vulnerability (CVE-2025-2783), discovered by security researchers at Kaspersky, was used to deploy spyware against Russian authorities and media.
- May 2025: Another zero-day vulnerability allowed attackers to gain access to user accounts after successful exploitation.
Looking back: Ten Zero Days in the previous year
In 2024, Google was already struggling with ten zero-day security vulnerabilities, some of which were demonstrated at the Pwn2Own hacker event or directly observed in active attacks. The trend shows: Web browsers continue to be the focus of professional attackers, and rapid updates are a key building block for IT security.
