Chrome: Out of bounds read and write in V8 engine (CVE-2025-5419) #shorts
Summary
Google has released an emergency patch for CVE-2025-5419, a high-severity zero-day vulnerability in the V8 JavaScript engine of Google Chrome. This flaw is being actively exploited in the wild and can lead to heap corruption and potentially arbitrary code execution via a crafted HTML page.
Product details
Affected product: Google Chrome prior to version 137.0.7151.68. The issue resides in the V8 JavaScript engine component. All desktop and mobile Chrome installations running a version less than 137.0.7151.68 must be updated immediately to receive the patch.
Vulnerability type summary
CVE-2025-5419 is classified as an out-of-bounds read and write vulnerability. Such bugs allow an attacker to read or write memory outside the bounds of allocated buffers, leading to heap corruption and enabling remote code execution under certain conditions.
Details of the vulnerability
The flaw exists in V8’s handling of certain JavaScript objects when parsing and executing HTML content. A remote attacker can craft a malicious page that triggers out-of-bounds reads and writes, corrupting the heap. Successful exploitation can allow execution of attacker-controlled code with the privileges of the browser process. Reports indicate real-world exploit chains leveraging this vulnerability against unpatched Chrome users.
Conclusion
All Chrome users should update to version 137.0.7151.68 or later without delay. Enterprises should deploy the emergency patch via their update management systems, review browser logs for suspicious activity, and monitor for indicators of compromise related to in-the-wild exploitation of CVE-2025-5419.
Watch the full video on YouTube: CVE-2025-5419
Remediation and exploitation details
This chain involves the following actors
- Remote attacker: Prepares and delivers malicious content to exploit the browser
- Chrome user: Innocent end user who visits the crafted web page and unwittingly triggers the exploit
This following systems are involved
- Google Chrome (prior to 137.0.7151.68) (Rendering and displaying web content): Target browser
- V8 JavaScript engine (Parsing and executing JavaScript code in web pages): Vulnerable component where out-of-bounds memory access occurs
Attack entry point
- Crafted HTML page: A malicious web page hosting specially designed JavaScript that triggers the out-of-bounds read/write bug
Remediation actions
Exploitation actions
Send link via phishing email or embed in compromised site
- Email with link to http://evil.example.com/malicious.html
Navigates in browser to the attacker’s URL
- User opens the link in a new tab
Prepare heap memory for corruption
- var arr = new Uint32Array(0x100);
Use a crafted index calculation to overwrite object headers
- arr[calculatedIndex] = shellcodeAddress;
Redirect JavaScript execution flow to attacker data
- Modify the backing store pointer of a typed array to point at shellcode
Invoke a method or function call whose pointer has been hijacked
- Call the overwritten function to run shellcode
Use the newly gained code execution to fetch additional malware
- Create a new process to download ransomware or spyware
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop.html
- https://issues.chromium.org/issues/420636529
- [2025-06-04] Chrome users are advised to update due to a new 0-day vulnerability being exploited in the wild.
- [2025-06-04] Google fixes Chrome zero-day vulnerability with in-the-wild exploit (CVE-2025-5419).
- [2025-06-04] Google Chrome releases emergency patch to fix high-risk zero-day vulnerability (CVE-2025-5419).
- [2025-06-06] Google issues emergency patches for Chrome vulnerabilities, including a zero-day actively exploited in the wild.