Google chrome V8 JavaScript engine out-of-bounds read/write vulnerability (CVE-2025-5419)

1. Overview of vulnerabilities:

CVE-2025-5419 is a high-risk out-of-bounds read/write vulnerability in the Chrome V8 JavaScript engine, discovered on May 27, 2025 by the Google Threat Analytics Team. The vulnerability stems from the V8 TurboFan compiler's mishandling of dynamic index loading when performing store-store elimination optimizations, which leads to an alias relationship misclassification that incorrectly eliminates critical store operations, which in turn leads to out-of-bounds memory accesses.

An attacker can construct a specially crafted HTML page to induce user access, trigger malicious JavaScript code execution, exploit the vulnerability to achieve remote code execution and sandbox escape, and ultimately take full control of the victim's device.

The vulnerability affects all Chromium-based browsers, including Chrome, Edge, Opera, Brave, and Vivaldi, and has been exploited in the wild.Google has released a fix and recommends that users update to Chrome 137.0.7151.68/.69 or later immediately.

2. Impact assessment

Affected platforms:

WindowsGoogle Chromebrowser (software)
Google Chrome on macOS
Google Chrome on Linux systems

Affected browsers:

Google Chrome
Microsoft Edge
Opera
Brave
Vivaldi
Other browsers based on the Chromium engine

Affected versions:

Google Chrome (Windows/Mac) below version 137.0.7151.68/.69
Google Chrome (Linux) below version 137.0.7151.68

Security risks:

Remote Code Execution (RCE): Attackers can take full control of user devices
Sensitive information leakage: can read sensitive data in system memory
Sandbox Escape: Bypassing the browser's sandbox protection mechanism
Data tampering: can modify critical data in system memory

Utilization approach:

Triggering vulnerabilities via specially crafted HTML pages
Requires user interaction (access to a malicious web page)
Has been found to be utilized in the wild

3. Analysis of technical principles.

V8 TurboFan Compiler Overview

TurboFan for the V8 engine is its optimizing compiler, using IR-based algorithms for high-performance optimization. Key features include:

• Use of the "Sea of Nodes" representation
• Perform optimizations such as store-store elimination
• Using type inference and inline caching

Storage-Storage Elimination Optimization Mechanism:

TurboFan achieves storage-storage elimination optimization with the EscapeAnalysisPhase algorithm:

• Creating a VirtualObject to track object escape state
• Marking unescaped StoreField nodes as removable
• Reanalyze dependency nodes through Revisit mechanisms
• Eventually replace redundant storage operations with Dead Node

Vulnerability triggering mechanism

The vulnerability stems from TurboFan's incorrect handling of dynamic index loading:

• Dependence on correct alias analysis when performing storage elimination
• TurboFan misjudges the aliasing relationship of storage operations in dynamic index loading scenarios
• Causes tagging of critical storage operations that should not be eliminated
• Critical storage operations are eliminated by error
• Causes subsequent memory accesses to go out of bounds

Memory corruption and arbitrary code execution:

• Heap memory corruption due to out-of-bounds accesses
• Well-constructed read and write operations control memory layout
• Combining techniques such as ROP chaining to achieve sandbox escapes
• Finalize arbitrary code execution

4. Vulnerability utilization conditions

Carefully constructed JavaScript code

Attackers need to construct specific array operations that trigger TurboFan to execute the flawed optimization paths

user interaction

Requires users to visit a specially crafted HTML page containing malicious JavaScript

Vulnerable browser versions

Target systems need to be running a Chromium browser below version 137.0.7151.68/.69.

5. Vulnerability POC/EXP.