Pierluigi Paganini June 05, 2025

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Google Chromium V8 vulnerability to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Google Chromium V8 Out-of-Bounds Read and Write Vulnerability, tracked as CVE-2025-5419, to its Known Exploited Vulnerabilities (KEV) catalog.

This week, Google released out-of-band updates to address three vulnerabilities in its Chrome browser, including the vulnerability CVE-2025-5419, which is actively exploited in the wild.

The vulnerability is an out-of-bounds read and write in the V8 JavaScript engine in Google Chrome prior. An attacker can exploit the flaw to trigger a heap corruption via a crafted HTML page.

Clement Lecigne and Benoît Sevens of Google Threat Analysis Group reported the vulnerability on May 27, 2025. The IT giant addressed the issue the day after, on May 28, 2025, with a configuration update applied to all Chrome Stable platforms.

“Google is aware that an exploit for CVE-2025-5419 exists in the wild.” reads the advisory.

Chrome Stable is updated to version 137.0.7151.68/.69 for Windows and Mac, and 137.0.7151.68 for Linux, rolling out in the coming days.

As usual, the company did not disclose technical details about the attack that exploited this issue.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by June 26, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)