If you use Google Chrome, you need to update your browser right now. Google just released an emergency patch for a three security vulnerabilities, one of which is a zero-day that has been actively exploited.
Zero-days are high-severity flaws that are either actively exploited in the wild or publicly disclosed before the developer pushes an update to fix the vulnerability.
What the Google Chrome patch fixes
The latest Chrome zero-day—labeled CVE-2025-5419 —is an out-of-bounds read-and-write vulnerability that affects the V8 JavaScript engine, which would allow a remote attacker to “exploit heap corruption via a crafted HTML page.”
The flaw was discovered and reported on May 27 by Clement Lecigne and Benoît Sevens from the Google Threat Analysis Group. While Google has acknowledged that the zero-day has been actively exploited, it hasn’t disclosed any additional details as to how or by whom to prevent other bad actors from leveraging the bug until more Chrome users have applied the patch.
This isn’t the first zero-day vulnerability affecting Chrome this year. Google released additional emergency patches in March and May : The first flaw allowed the deployment of malware in espionage attacks, while the second permitted account takeover.
What Chrome users need to do
Google has confirmed that it pushed a configuration change to the Stable version of Chrome to address the vulnerability the day after it was discovered. On Monday, the company released a Stable channel update with patches for the zero-day and two additional security issues.
Users should ensure they are on Chrome version 137.0.7151.68/.69 for Windows and macOS, and version 137.0.7151.68 for Linux. Check your version by opening the Chrome menu and selecting About Google Chrome. If an update is available, allow it to complete and relaunch your browser to install it.
