Fragility in JavaScript Engine
The Chrome team described the vulnerability as memory reads and writes to V8 in scope, which is Chrome’s JavaScript and WebAssembly engine. The open source V8 engine is also used in other projects, including the Node.js runtime. Since the engine is designed to interpret and execute JavaScript and WebAssembly code, the vulnerability could be triggered remotely by simply accessing users who load the webpage that maliciously makes code.
“Access to error details and links can be restricted until most users update with fixes,” Google said in its consultation. “We will also retain restrictions if the error exists in third-party libraries that other projects also rely on but are not yet resolved.”
In addition to CVE-2025-5419, the new Chrome update also fixes memory errors after use in moderate severity in the browser’s rendering engine Blink. This vulnerability was reported privately by a researcher who received a $1,000 bounty.
