Google Releases Chrome 137 Update to Patch Actively Exploited Zero-Day Vulnerability
On Monday, Google rolled out an update for Chrome version 137 to fix three security vulnerabilities, including a high-severity zero-day that is currently being exploited in the wild.
The zero-day, identified as CVE-2025-5419, involves an out-of-bounds read and write flaw in Chrome’s V8 JavaScript engine. According to Google’s advisory, the company is aware that an exploit for this vulnerability already exists. While technical details remain undisclosed, Google credited Clement Lecigne and Benoît Sevens from its Threat Analysis Group (TAG) for discovering and reporting the issue.
TAG researchers have previously exposed multiple flaws exploited by commercial spyware vendors. Given that context, CVE-2025-5419 could also be linked to surveillance activities. A related advisory from the National Institute of Standards and Technology (NIST) indicates that the flaw allows remote attackers to potentially cause heap corruption through a specially crafted HTML page. Exploiting such out-of-bounds issues often enables arbitrary code execution on affected systems.
The update also patches CVE-2025-5068, a medium-severity use-after-free vulnerability found in Blink, Chrome’s rendering engine. This issue earned the reporting researcher a $1,000 bug bounty. Google has chosen not to issue a bounty for CVE-2025-5419.
The latest Chrome version 137.0.7151.68/.69 for Windows and macOS, and 137.0.7151.68 for Linux is now being rolled out. This update comes after another serious vulnerability, CVE-2025-2783, a Chrome sandbox escape exploited by a Russian state-backed group, was patched in March. Firefox was also updated to address a similar issue around the same time.
Earlier in May, Google released Chrome 136 to resolve another zero-day vulnerability that had been disclosed publicly by a security researcher about a week prior.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
