Vulnerability in the JavaScript engine
The Chrome team described the vulnerability as an out of bounds memory read and write in V8, which is Chrome’s JavaScript and WebAssembly engine. The open-source V8 engine is used in other projects as well, including the Node.js runtime. Because the engine is designed to interpret and execute JavaScript and WebAssembly code, the vulnerability can likely be triggered remotely by users simply visiting web pages that load maliciously crafted code.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said in its advisory. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”
Aside from CVE-2025-5419, the new Chrome update also fixes a medium-severity use-after-free memory bug in Blink, the browser’s rendering engine. This vulnerability was privately reported by a researcher who received a $1,000 bounty for it.
