Google patched three security vulnerabilities in its Chrome web browser earlier last week. Reportedly, one of them was being actively exploited by threat actors.
The critical bug CVE-2025-5419, which is of high severity given a CVSS score of 8.8, is described as an out-of-bounds read and write condition within the V8 JavaScript and WebAssembly engine of Chrome. In essence, this means that a remote attacker could corrupt the browser's memory heap due to a specially crafted HTML page.
The flaw was discovered and reported by Clement Lecigne and Benoît Sevens, researchers at Google's Threat Analysis Group (TAG), on May 27, 2025. Google swiftly reacted, rolling out a configuration change into the stable version of Chrome on all platforms the very next day to mitigate the threat.
Google has stated that CVE-2025-5419 exploits are currently being used "in the wild." However, in order to protect its users and avoid the further dissemination of the exploit, Google has chosen to keep information regarding the attacks and attackers confidential. The strategy behind this is to provide users with sufficient time to update their browsers before more unscrupulous people can take advantage of the vulnerability.
This makes the second zero-day vulnerability that Google has addressed in Chrome this year. The first zero-day, CVE-2025-2783, was reportedly exploited in attacks against organizations in Russia.