Google has released an emergency safety update to fix the third chrome zero-day vulnerability exploited in attacks since the beginning of the year.
“Google knows that an exploitation for CVE-2025-5419 is present in the wild,” the company warned Security Consulting Published on Monday.
This high-seriousness is due to the weakness of reading and writing an out-of-bounds in the V8 JavaScript engine of Chrome, reported by Benoit Sevens of Clement Lesigne and Google’s Threat Analysis Group a week ago.
Google says the issue was reduced a day later when the company was pushed to the stable channel on all chrome platforms by a configuration change.
On Monday, it also set a zero-day for Windows/Mac for 137.0.7151.68/69 and 137.0.0.7151.68 for Linux, for Linux, editions that are rolling for users in the stable desktop channels in the coming weeks.
While the chrome will be automatically updated when the new security patch is available, users can move the process by going to Chrome Menu> Help> about Google Chrome, allowing to finish the update, and click on the ‘Relach’ button to install it immediately.
While Google has already confirmed that the CVE-2025-5419 is being exploited in the wild, the company will not share additional information about these attacks unless more users have patching their browsers.
Google said, “Access to the buggle details and links can be banned until most users are updated with the fix,” Google said. “We will also maintain the restriction if the bug is present in a third party library that depends like other projects, but not yet decided.”
With two more patch in March and May, this is Google’s third chrome zero-day vulnerability since the beginning of the year.
The first, discovered by Boris Larin and Igor Kuznetsov of Kasperki, was used to deploy malware in a high-seriousness Sandbox Escape Floe (CVE-2025-2783) to deploy malware in espionage attacks targeting Russian government organizations and media outlets.
The company released another set of emergency safety updates in May to patch Chrome zero-day in May, allowing the attackers to handle accounts after successful exploitation.
Last year, Google patches 10 zero-days, which were either demolished during the PWN2OWN hacking competition or exploited in attacks.
Manual patching is old. It is slow, error-prone and hard for scale.
On June 4, join Kandji + Tines, to see why the older methods are short. See the real -world examples of how modern teams use automation to patch rapid patching, risk cuts, obedient stay and leaving complex scripts.
