How to fix CVE-2025-5419?

Within 24 hours: Issue urgent advisory to all users prohibiting Chrome use for sensitive tasks and directing IT to inventory Chrome deployments. Within 7 days: Monitor Chrome release status for patch availability and prepare forced update procedures; implement network controls to block known attack vectors where feasible. Within 30 days: Deploy Chrome version 137.0.7151.68 or later across all organizational devices through MDM/endpoint management; conduct security awareness training on phishing and malicious link risks.

Is Heap Overflow affected by CVE-2025-5419?

CVE-2025-5419 is an actively exploited heap corruption vulnerability in Google Chrome affecting all users prior to version 137.0.7151.68.

CVE-2025-5419

EUVD-2025-16695 HIGH

2025-06-03 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 14, 2026 - 17:04 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 17:04 euvd

EUVD-2025-16695

PoC Detected

Oct 24, 2025 - 14:06 vuln.today

Public exploit code

Added to CISA KEV

Oct 24, 2025 - 14:06 cisa

CISA KEV

CVE Published

Jun 03, 2025 - 00:15 nvd

HIGH 8.8

Description

Out of bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Analysis

Chrome's V8 JavaScript engine contains an out-of-bounds read and write vulnerability (CVE-2025-5419, CVSS 8.8) enabling remote heap corruption through crafted HTML pages. KEV-listed with EPSS 3.0% and public PoC, this vulnerability provides both read and write primitives in V8's heap, making it highly reliable for exploitation.

Technical Context

The vulnerability provides both out-of-bounds read and write capabilities in V8's heap, which is particularly valuable for exploitation. The read primitive allows the attacker to leak memory layout information (defeating ASLR), while the write primitive enables corruption of adjacent objects. Combined, these provide a reliable exploitation path that is more stable than typical single-primitive vulnerabilities.

Affected Products

['Google Chrome prior to 137.0.7151.68', 'All Chromium-based browsers']

Remediation

Update Chrome to 137.0.7151.68+. Update all Chromium-based browsers. Enable auto-updates organization-wide.

Priority Score

117

Low Medium High Critical

KEV: +50

EPSS: +3.0

CVSS: +44

POC: +20

Vendor Status

Ubuntu

Priority: Medium

chromium-browser

Release	Status	Version
jammy	not-affected	code not present
noble	not-affected	code not present
oracular	not-affected	code not present
plucky	not-affected	code not present
upstream	released	-

Debian

chromium

Release	Status	Fixed Version	Urgency
bullseye (security), bullseye	vulnerable	120.0.6099.224-1~deb11u1	-
bookworm	fixed	137.0.7151.68-1~deb12u1	-
bookworm (security)	fixed	146.0.7680.71-1~deb12u1	-
trixie	fixed	145.0.7632.159-1~deb13u1	-
trixie (security)	fixed	146.0.7680.71-1~deb13u1	-
forky, sid	fixed	146.0.7680.71-1	-
bullseye	fixed	(unfixed)	end-of-life
(unstable)	fixed	137.0.7151.68-1	-

DSA-5935-1

CVE-2025-5419 vulnerability details – vuln.today

Back

CVE-2025-5419

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

CVE-2025-5419

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code