The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-13223, a high-severity type confusion vulnerability in Google Chromium’s V8 JavaScript engine, to its Known Exploited Vulnerabilities (KEV) catalog.
This zero-day flaw allows remote attackers to trigger heap corruption via specially crafted HTML pages, potentially leading to arbitrary code execution on affected systems.
Added on November 19, 2025, with a federal remediation deadline of December 10, 2025, the vulnerability underscores urgent risks for Chrome users worldwide.
Google’s Threat Analysis Group (TAG) researcher Clément Lecigne reported the issue on November 12, 2025, confirming active in-the-wild exploitation.
The company acknowledged an existing exploit and rushed a patch in the Stable Channel Update to version 142.0.7444.175 or later for Windows, Mac, and Linux.
This marks the seventh Chrome zero-day patched in 2025, highlighting persistent threats to the browser’s rendering engine.
Attackers exploit the flaw through drive-by downloads, where victims need only visit malicious sites no further interaction required beyond rendering content.
At its core, CVE-2025-13223 (CWE-843) occurs when V8 misinterprets object data types during just-in-time compilation, corrupting heap memory and enabling attackers to overwrite critical structures.
The CVSS v3.1 base score stands at 8.8 (High): Attack Vector (Network), Attack Complexity (Low), Privileges Required (None), User Interaction (Required), Scope (Unchanged), with High impacts to Confidentiality, Integrity, and Availability.
Chromium-based browsers like Microsoft Edge, Brave, and Opera face similar risks if unpatched.
Vulnerability Details
| CVE ID | Affected Products | Impact | Exploit Prerequisites | CVSS Score |
|---|---|---|---|---|
| CVE-2025-13223 | Google Chrome (<142.0.7444.175), Chromium-based browsers (Edge, Brave) | Heap corruption, remote code execution | Visit crafted HTML page; no privileges needed | 8.8 (High) |
CISA urges organizations to apply vendor mitigations immediately, per Binding Operational Directive (BOD) 22-01 for federal systems.
Users should update Chrome via Settings > About Chrome, enable auto-updates, and monitor for suspicious activity.
Network defenders can prioritize patching using the KEV catalog’s CSV or JSON feeds for automated scans. Discontinue unpatchable products if needed.
Google’s rapid response fixed the flaw alongside CVE-2025-13224, another V8 type confusion found by its AI agent Big Sleep.
Threat actors, possibly nation-state linked via TAG investigations, leverage this for initial access in broader campaigns.
Security teams must integrate KEV into their vulnerability management processes as exploitation reports grow.
With billions of users exposed, timely updates remain the primary defense against such browser-centric threats.
 has added CVE-2025-13223, a high-severity type confusion vulnerability){kind=link}