Google Issues Emergency Update For All 3 Billion Chrome Users
Update all browsers now.
Republished on June 5 with new 21-day emergency update deadline for Chrome users.
Google released an emergency Chrome update Tuesday, warning that a vulnerability discovered by its Threat Analysis Group has been used in attacks. Such is the severity of the risk that Google also confirmed that ahead of this update, the issue “was mitigated on 2025-05-28 by a configuration change” pushed out to all platforms.
Google says it “is aware that an exploit for CVE-2025-5419 exists in the wild,” and that full access to details on the vulnerability will “be be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
CVE-2025-5419 is an out-of-bounds read and write in V8, the type of dangerous memory flaw typically found and fixed on the world’s most popular browser. While it’s only marked as high severity, the fact attacks have been confirmed underway means applying the fix is critical — you do not want to leave your browser at risk.
There is already a U.S. government mandate for federal staff to update Chrome by Thursday or stop using the browser, after a separate attack warning. And there has been another release since then, with two high-severity fixes. It is inevitable that this latest warning and update will also prompt CISA to issue a 21-day update mandate.
There is a second fix included in this emergency update — CVE-2025-5068 is another memory issue, a “use after free in Blink,” that was disclosed by an external researcher.
NIST warns that CVE-2025-5419 “allows a remote attacker to potentially exploit heap corruption via a crafted HTML page,” and that it applies across Chromium, suggesting other browsers will also issue emergency patches.
America’s cyber defense agency has now issued a 21-day deadline for federal staff to update or stop using browsers. This was issued on June 5 and runs to June 26. While the deadline is only mandatory for federal staff, CISA’s remit is to help “every organization better manage vulnerabilities and keep pace with threat activity.”
CISA says “Google Chromium V8 contains an out-of-bounds read and write vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page.” Users should “apply mitigations per vendor instructions,” or “discontinue use of the product if mitigations are unavailable.”
While Google’s warning and most headlines have focused on Chrome itself, CISA reminds users that “this vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. Microsoft has updated Edge, warning this latest update “contains a fix for CVE-2025-5419 which has been reported by the Chromium team as having an exploit in the wild.”
As usual, you should see a flag on your browser that the update has downloaded. You need to restart Chrome to ensure it takes full effect. All your normal tabs will then reopen — unless you elect not to do that. But your Incognito tabs will not reopen, so make sure you save any work or copy down any URLs you want to revisit.