Search
On this page ▾
CVE-2025-5419 — Google Chromium V8 Out-of-Bounds Read and Write Vulnerability

CVE-2025-5419

Google Chrome V8 — OOB Read/Write Heap Corruption; Third Chrome Zero-Day of 2025; June 2025
⚠️ CVSS 3.1  8.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is Chrome's V8 JavaScript Engine?

V8 is Chrome's JavaScript and WebAssembly engine, shared by all Chromium-based browsers. Out-of-bounds read and write vulnerabilities in V8 allow access to heap memory outside allocated array or buffer bounds. Both the read and write primitives together are the building blocks for code execution: the OOB read leaks object addresses (defeating ASLR), while the OOB write allows overwriting security-critical data in adjacent heap objects.

Overview

CVE-2025-5419 is an out-of-bounds read and write vulnerability (CWE-125) in Chrome's V8 engine that allows heap corruption via a crafted HTML page. Exploited as a zero-day before the June 3, 2025 patch — the third Chrome zero-day of 2025 — CISA added it to the KEV catalog two days later with a 21-day deadline. All Chromium-based browsers (Chrome, Edge, Brave, Opera, Vivaldi) are affected.

Affected Versions

Product Vulnerable Fixed
Google Chrome Before June 3, 2025 stable update June 3, 2025 stable update
Microsoft Edge Corresponding pre-fix version June 2025 Edge update
Other Chromium browsers Varies Update per vendor

Technical Details

The out-of-bounds read and write (CWE-125) occurs in V8's array or typed array processing path. A crafted JavaScript causes an index or offset calculation to exceed valid bounds for an allocated buffer. The combined read/write primitives allow:

  • OOB read: leaks heap memory contents to defeat ASLR
  • OOB write: corrupts adjacent heap objects, enabling pointer overwrite for code execution

With both primitives, an attacker achieves code execution in the Chrome renderer process, then typically chains with a sandbox escape to reach the OS level.

Exploitation Context

The third Chrome/V8 zero-day of 2025. The 2-day KEV gap reflects rapidly confirmed exploitation. V8 OOB vulnerabilities are a reliable exploitation primitive favored by sophisticated threat actors for targeted browser-based attacks.

Remediation

  1. Apply the June 3, 2025 Chrome update or any later version. CISA deadline: June 26, 2025.
  2. Update all Chromium-based browsers — V8 is shared across all Chromium derivatives.
  3. Enable automatic browser updates to minimize the window between future zero-day patches and deployment.

Key Details

PropertyValue
CVE ID CVE-2025-5419
Vendor / Product Google — Chromium V8
NVD Published2025-06-03
NVD Last Modified2025-10-24
CVSS 3.1 Score8.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-125 find similar ↗
CISA KEV Added2025-06-05
CISA KEV Deadline2025-06-26
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2025-06-26. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2025-06-03Chrome released with fix; zero-day exploitation confirmed
2025-06-05CVE published; CISA adds to KEV
2025-06-26CISA BOD 22-01 remediation deadline

References

ResourceType
Chrome Stable Channel Update — June 3, 2025 Vendor Advisory
NVD — CVE-2025-5419 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-17

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML