CVE-2025-5419

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 3, 2026 10 articles Published: 2025-06-02

VulnLookup ↗ NVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-24

3.5%

probability

This CVE has a 3.5% probability of being exploited in the next 30 days.

0% Top 87.8th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

8.8

HIGH

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

VulnerabilityLookup (CNA)

Out of bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Affected Products

Google

Chrome

137.0.7151.68

Attack Intelligence

CWE-118 · Incorrect Access of Indexable Resource ('Range Error') CWE-119 · Buffer Overflow CWE-125 · Out-of-bounds Read CWE-664 · Improper Control of a Resource Through its Lifetime CWE-787 · Out-of-bounds Write

Google Project Zero

Patched

June 2, 2025

Reported by

Clement Lecigne and Benoît Sevens of Google Threat Analysis Group

Root Cause Analysis

???

Exploits & PoC

mistymntncop/CVE-2025-5419

PoC CVE-2025-5419 — mistymntncop/CVE-2025-5419

bjrjk/CVE-2025-5419

An uninitialized read vulnerability by incorrect Turboshaft Store-Store Elimination in V8.

itsShotgun/chrome_v8_cve_checker

Checks if your Chrome version is vulnerable to CVE-2025-5419, from the browser

Riquelme54322/CVE-2025-5419

🛡️ Analyze CVE-2025-5419 to exploit an uninitialized read vulnerability in V8 for arbitrary read/write access within the sandbox environment.

4 repos — triés par ⭐ Rechercher sur GitHub ↗

https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop.html

https://issues.chromium.org/issues/420636529

Signal Intelligence

Confidenceⓘ

92%

EPSS 3.5%

CVSS v3.1 8.8

Mentions 10

Last Seen Dec 11, 2025

CNA Information

CNA Assigner

Chrome

Analyst Note

This CVE is a confirmed zero-day in Chrome V8 with high CVSS severity (8.8), active in-the-wild exploitation documented across multiple credible sources (BleepingComputer, TheHackerNews), and official Google patching in version 137.0.7151.68. The vulnerability involves out-of-bounds read/write leading to heap corruption, representing a significant exploitation vector requiring immediate user remediation.

Threat Actors 4

Hacking Team

apt_group 🇮🇹 IT

HAZY TIGER

apt_group Information theft and espionage 🇮🇳 IN

Group 27

apt_group Information theft and espionage 🇨🇳 CN

Red Dev 17

apt_group 🇨🇳 CN

Triage Info

Decided atMar 03, 2026

Published DateJun 02, 2025