Google has urgently patched a critical zero-day vulnerability in its Chrome browser after confirming active exploitation by threat actors.
The flaw, tracked as CVE-2025-13223, affects the V8 JavaScript engine and allows attackers to corrupt memory through malicious web pages, potentially leading to remote code execution on users’ devices.
This update marks the seventh Chrome zero-day fixed in 2025, highlighting ongoing risks in browser security.
The vulnerability was discovered on November 12, 2025, by Clément Lecigne from Google’s Threat Analysis Group, which specializes in tracking nation-state spyware and advanced persistent threats.
Google rolled out the fix in version 142.0.7444.175 for Windows and Linux, and 142.0.7444.176 for Mac, starting November 17, 2025. Details on the exact exploitation method remain restricted to protect unpatched users.
However, the issue involves type confusion, where the V8 engine misinterprets memory data types, enabling heap corruption.
Attackers can trigger this by luring victims to compromised websites, without needing additional privileges beyond normal browsing.
Vulnerability Details
Type confusion bugs like CVE-2025-13223 occur when V8 incorrectly handles object types during JavaScript execution, treating one data structure as another and bypassing memory safeguards.
This leads to heap corruption, allowing attackers to overwrite critical memory regions and execute arbitrary code within the browser’s sandbox.
Technically, the flaw exploits weaknesses in V8’s just-in-time compiler, which optimizes JavaScript for speed but can introduce type mismatches if not correctly validated.
Once exploited, it could be chained with other vulnerabilities to achieve full system compromise, such as stealing sensitive data or installing malware.
The patch addresses this by refining type checks in V8’s memory management, preventing confusion during object allocation and access.
Google also fixed CVE-2025-13224 in the same update, another V8 type confusion found by its AI tool Big Sleep on October 9, 2025, though it lacks confirmed exploits.
Both carry a CVSS score of 8.8, rated high severity due to the network attack vector and low complexity.
| CVE ID | Affected Products | Impact | Exploit Prerequisites | CVSS Score |
|---|---|---|---|---|
| CVE-2025-13223 | Google Chrome < 142.0.7444.175 (Win/Linux), < 142.0.7444.176 (Mac); Chromium-based browsers | Heap corruption, potential RCE | User visits crafted HTML page | 8.8 |
| CVE-2025-13224 | Google Chrome < 142.0.7444.175 (Win/Linux), < 142.0.7444.176 (Mac); Chromium-based browsers | Heap corruption, potential RCE | User visits crafted HTML page | 8.8 |
Mitigation Steps
Users should immediately update Chrome via the built-in updater or download from official sources to block exploits.
Enterprise admins must enforce auto-updates and monitor for anomalous browser behavior, like unexpected crashes.
While no specific indicators of compromise are public, Google’s Threat Analysis Group suggests this targets high-value individuals via espionage campaigns.
Broader defenses include enabling site isolation in Chrome flags and using endpoint detection tools to scan for V8-related anomalies.
This incident underscores the persistent threats to web browsers, where V8’s performance optimizations create exploitable edges.
With over 2 billion users, rapid patching is crucial to limit damage from real-world attacks.
Security researchers continue to use tools like AddressSanitizer and libFuzzer to hunt similar flaws before they escape.
