Clement Lecigne and Benoît Sevens of Google Threat Analysis Group discovered a high-severity vulnerability impacting the Chrome browser. Tracked as CVE-2025-5419, this is an out-of-bounds read and write vulnerability in V8. Google mentioned in the advisory that they are aware of the active exploitation of vulnerability in the wild. Google addressed the vulnerability with a configuration change pushed out to Stable across all Chrome platforms.
This is the third zero-day vulnerability Google has patched since the start of the year. The previous two are:
Currently, no publicly available information exists regarding exploiting this Google Chrome vulnerability by any specific threat actors. The absence of reports does not necessarily mean the vulnerability is not being exploited; it may not have been observed or disclosed.
Affected Versions
The vulnerability affects Google Chrome versions before 137.0.7151.68.
Mitigation
Customers must upgrade to the latest stable channel version 137.0.7151.68/.69 for Windows and Mac and 137.0.7151.68 for Linux.
For more information, please refer to the Google Chrome Release Page.
Qualys Detection
Qualys customers can scan their devices with QID 383328 to detect vulnerable assets.
Rapid Response with Patch Management (PM)
Qualys Patch Management and its Zero-Touch Patching feature provide a seamless, automated process of patching a vulnerability like this.
Zero-Touch Patching identifies the most vulnerable products in your environment and automates the deployment of necessary patches and configuration adjustments. This streamlines the patching process and ensures vulnerabilities are addressed promptly.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop.html
