Google has issued an emergency security update for Chrome following the discovery of a critical zero-day vulnerability (CVE-2025-5419) that is being actively exploited in the wild. This vulnerability resides in Chrome’s V8 JavaScript and WebAssembly engine and stems from out-of-bounds read and write operations, allowing attackers to execute arbitrary code on affected systems. The flaw, discovered by researchers, poses a serious threat due to its potential to access or corrupt system memory.

To combat this threat, Google rolled out Chrome version 137.0.7151.68/.69 for Windows and macOS, and 137.0.7151.68 for Linux, with the update being distributed globally. Prior to the full patch, emergency mitigation measures were implemented on May 28, 2025, highlighting the urgency and severity of the issue. These out-of-bounds memory access vulnerabilities are especially dangerous as they allow unauthorized access to sensitive data and could enable full system compromise.

In addition to CVE-2025-5419, the update also patches CVE-2025-5068, a medium-severity use-after-free vulnerability in Chrome’s Blink rendering engine, reported by a security researcher. Although less critical, this flaw could still lead to memory corruption and potential exploitation. As a preventive measure, Google withholds technical details of these vulnerabilities until most users have installed the patches, aiming to limit exploitation attempts by malicious actors.

Google continues to emphasize the importance of updating Chrome immediately to version 137.0.7151.68 or higher, which can be done via Settings > About Chrome. The company credits its internal security infrastructure featuring tools like AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL, for enabling early detection of flaws before stable releases. Users and organizations alike are urged to act swiftly, as attackers are actively exploiting the zero-day in the wild, making this update a top priority for safeguarding systems.