🟒 CVE-2025-5419

CVE-2025-5419 is an out-of-bounds read/write vulnerability in Chrome's V8 engine that allows remote code execution via crafted HTML pages. While severe for client security, this is a browser vulnerability requiring user interaction and does not qualify as T1190 since Chrome is client software, not a public-facing server application.

← Back to Overview
LOW_RISK
Risk Level
8.8
CVSS Score
NETWORK
Attack Vector
Execution
ATT&CK Tactic
T1203 β€” Exploitation for Client Execution
ATT&CK Technique
VERY_LOW
Deployment Risk
No
Ransomware

πŸ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: USER_INTERACTION

CVE Published: 2025-06-02

Added to CISA KEV: 2025-06-05 3 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

πŸ” Web Intelligence (Kagi Β· 2026-06-04)

CVE-2025-5419 is a critical security vulnerability affecting the V8 JavaScript engine in Google Chrome. Below is a summary of the known details regarding this vulnerability:

Vulnerability Overview
  • Description: The vulnerability is an out-of-bounds read and write issue within the V8 engine [2]. It is specifically identified as an uninitialized read vulnerability caused by incorrect Turboshaft Store-Store Elimination [1].
  • Impact: Successful exploitation allows a remote attacker to trigger heap corruption [2]. Advanced exploitation can escalate this to achieve arbitrary read/write, `AddressOf`, and `FakeObject` primitives within the V8 sandbox [1].
Exploitation and Threat Landscape
  • Active Exploitation: Google has confirmed that an exploit for CVE-2025-5419 exists and has been used in the wild [3].
  • Attack Method: The attack is remote and typically involves a crafted HTML page to trigger the vulnerability [2].
  • Exploit Availability: Publicly available analysis and stabilized exploit code exist, which demonstrate how to leverage the vulnerability for advanced primitives [1].
  • Targeted Attacks/Ransomware: While the vulnerability is known to be exploited in the wild, specific attribution to ransomware campaigns or specific targeted threat actors is not detailed in the available public records.
Affected Versions and Mitigation
  • Affected Versions: Google Chrome versions prior to 137.0.7151.68 are affected [2] [3].
  • Mitigation: Users should ensure their browser is updated to version 137.0.7151.68 or later to patch this vulnerability.

Sources

  1. GitHub - bjrjk/CVE-2025-5419: An uninitialized read vulnerability by ...

    CVE-2025-5419 An uninitialized read vulnerability by incorrect Turboshaft Store-Store Elimination in V8. This repository contains analysis and stablized exploit to escalate this vulnerability to achieve in-V8-sandbox Arbitrary Read / Write, AddressOf & FakeObject primitives. Analysis: CVE-2025-5419.

  2. CVE-2025-5419 Detail - NVD

    Out of bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML ... Secure .gov websites use HTTPS A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only…

  3. Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary ...

    THREAT INTELLEGENCE: Google is aware that an exploit for CVE-2025-5419 exists in the wild. SYSTEMS AFFECTED: Chrome prior to 137.0.7151.68 ...

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

πŸ“„ Download JSON Data | πŸ“‘ RSS Feed