What is the CVSS score of CVE-2025-5419?

CVE-2025-5419 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 3.0%.

Which versions of Chrome are affected by CVE-2025-5419?

CVE-2025-5419 is an actively exploited heap corruption vulnerability in Google Chrome affecting all users prior to version 137.0.7151.68.. A patch is available.

Is there a public PoC exploit available for CVE-2025-5419?

Yes, a public proof-of-concept exploit is available for CVE-2025-5419. Prioritise patching immediately. EPSS: 3.0%.

How to fix or mitigate CVE-2025-5419?

Within 24 hours: Issue urgent advisory to all users prohibiting Chrome use for sensitive tasks and directing IT to inventory Chrome deployments. Within 7 days: Monitor Chrome release status for patch availability and prepare forced update procedures; implement network controls to block known attack vectors where feasible. Within 30 days: Deploy Chrome version 137.0.7151.68 or later across all organizational devices through MDM/endpoint management; conduct security awareness training on phishing and malicious link risks.

Chrome CVE-2025-5419

EUVD-2025-16695 HIGH

Out-of-bounds Read (CWE-125)

2025-06-03 chrome-cve-admin@google.com

Google Heap Overflow Memory Corruption Chrome Edge Chromium Suse

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Ubuntu

MEDIUM

qualitative

SUSE

HIGH

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 14, 2026 - 17:04 euvd

EUVD-2025-16695

Analysis Generated

Mar 14, 2026 - 17:04 vuln.today

Added to CISA KEV

Oct 24, 2025 - 14:06 cisa

CISA KEV

PoC Detected

Oct 24, 2025 - 14:06 vuln.today

Public exploit code

CVE Published

Jun 03, 2025 - 00:15 nvd

HIGH 8.8

DescriptionCVE.org

Out of bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Chrome's V8 JavaScript engine contains an out-of-bounds read and write vulnerability (CVE-2025-5419, CVSS 8.8) enabling remote heap corruption through crafted HTML pages. KEV-listed with EPSS 3.0% and public PoC, this vulnerability provides both read and write primitives in V8's heap, making it highly reliable for exploitation.

Technical ContextAI

The vulnerability provides both out-of-bounds read and write capabilities in V8's heap, which is particularly valuable for exploitation. The read primitive allows the attacker to leak memory layout information (defeating ASLR), while the write primitive enables corruption of adjacent objects. Combined, these provide a reliable exploitation path that is more stable than typical single-primitive vulnerabilities.

RemediationAI

Update Chrome to 137.0.7151.68+. Update all Chromium-based browsers. Enable auto-updates organization-wide.

More from same product – last 7 days

CVE-2026-12440 CRITICAL Act Now

9.6 Jun 17

Use after free in DigitalCredentials in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to po

CVE-2026-12443 HIGH This Week

8.8 Jun 17

Use after free in Web Authentication in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbit

CVE-2026-12442 HIGH This Week

8.8 Jun 17

Use after free in Passwords in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to execute arb

CVE-2026-12447 HIGH This Week

8.8 Jun 17

Heap buffer overflow in WebRTC in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary c

CVE-2026-12441 HIGH This Week

8.8 Jun 17

Use after free in File Input in Google Chrome on Linux prior to 149.0.7827.155 allowed a remote attacker to potentially

Vendor StatusVendor

Ubuntu

Priority: Medium

chromium-browser

Release	Status	Version
jammy	not-affected	code not present
noble	not-affected	code not present
oracular	not-affected	code not present
plucky	not-affected	code not present
upstream	released	-

Debian

chromium

Release	Status	Fixed Version	Urgency
bullseye (security), bullseye	vulnerable	120.0.6099.224-1~deb11u1	-
bookworm	fixed	137.0.7151.68-1~deb12u1	-
bookworm (security)	fixed	146.0.7680.71-1~deb12u1	-
trixie	fixed	145.0.7632.159-1~deb13u1	-
trixie (security)	fixed	146.0.7680.71-1~deb13u1	-
forky, sid	fixed	146.0.7680.71-1	-
bullseye	fixed	(unfixed)	end-of-life
(unstable)	fixed	137.0.7151.68-1	-

DSA-5935-1

SUSE

Severity: High

Product	Status
SUSE Package Hub 15 SP6	Fixed
openSUSE Leap 15.6	Fixed
openSUSE Leap 15.6 NonFree	Fixed
openSUSE Tumbleweed	Fixed
SUSE Package Hub 15 SP6	Fixed

CVE-2025-5419 vulnerability details – vuln.today

Back

Chrome CVE-2025-5419

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

Ubuntu

Debian

SUSE

Share

External POC / Exploit Code