CISA Flags Chrome 0-Day Bug Exploited in Active Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert for a zero-day vulnerability in Google Chrome, actively exploited by attackers to execute arbitrary code. Tracked as CVE-2025-5419, the flaw resides in Chrome’s V8 JavaScript and WebAssembly engine and impacts versions prior to 137.0.7151.68.

Added to CISA’s Known Exploited Vulnerabilities Catalog on June 5, the bug allows remote attackers to corrupt memory via specially crafted HTML pages, enabling potential sandbox escapes. It affects multiple Chromium-based browsers, including Microsoft Edge, Opera, Brave and Vivaldi.

Google acknowledged the threat, implementing a configuration change on May 28, followed by emergency security patches released on June 3. The vulnerability carries a CVSS score of 8.8, classifying it as high severity.

CISA has directed federal agencies to remediate the flaw immediately and urges all users to update their browsers. This marks the third actively exploited Chrome zero-day identified in 2025.