Google Chrome is affected by a critical, actively exploited zero-day vulnerability in its V8 engine that permits remote code execution.

This is an out-of-bounds read and write vulnerability within the V8 JavaScript and WebAssembly engine. An unauthenticated remote attacker can exploit this flaw by enticing a user to navigate to a maliciously crafted HTML page, leading to heap corruption.

The CVSS score of 8.8 reflects the high severity of this flaw, which enables remote attackers to compromise browser integrity. Successful exploitation could lead to arbitrary code execution, resulting in full system compromise, sensitive data exfiltration, and significant reputational damage. The urgency is further elevated by its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog.

Immediate Action: Update Google Chrome to version 137.0.7151.68 (Linux) or 137.0.7151.68/.69 (Windows and Mac) immediately. Users of Microsoft Edge should apply the update to version 137.0.3296.62.

Proactive Monitoring: Review enterprise network logs for connections to unknown or suspicious domains that may serve malicious payloads designed to trigger V8 heap corruption.

Compensating Controls: Ensure that Endpoint Detection and Response (EDR) solutions are updated and configured to detect anomalous process behavior originating from the browser.

Public Exploit Available: True

Given the confirmed active exploitation and the critical nature of V8 engine vulnerabilities, organizations must prioritize this update above all other maintenance tasks. Failure to patch exposes the organization to high-risk browser-based attacks that can bypass standard security perimeters.