Google has released a security update for Chrome, patching two high-severity vulnerabilities in its V8 JavaScript engine, one of which, CVE-2025-13223, is already being actively exploited in the wild. This marks the seventh Chrome zero-day flaw fixed this year.
The newly addressed vulnerability, reported on November 12, 2025, by Clément Lecigne of Google's Threat Analysis Group (TAG), is a type confusion bug in V8, the JavaScript and WebAssembly engine that powers Chrome's execution of web content. Google has confirmed that this flaw has been exploited, although details on the nature and scope of the attacks remain under embargo until a majority of users have received the patch.
Type confusion bugs arise when a program allocates or accesses memory under the incorrect assumption about an object's type, potentially leading to unexpected behavior or memory corruption. In the context of a browser, such vulnerabilities can be weaponized by attackers to trigger heap corruption using specially crafted HTML or JavaScript content. If successfully exploited, they may enable remote code execution within the browser context and, if chained with other flaws, potentially allow sandbox escape or broader system compromise.
The patched version, 142.0.7444.175 for Linux and Windows, and 142.0.7444.176 for macOS, is currently rolling out to stable channel users and will reach the wider user base in the coming days and weeks.
A second vulnerability, CVE-2025-13224, also classified as high-severity and involving a separate type confusion issue in V8, was reported earlier on October 9 by Google's internal “Big Sleep” security team.
Google Chrome, developed by Google and currently holding over 60% of the global desktop browser market share, is a cornerstone of modern web interaction. Given its widespread use and integration into enterprise and consumer environments, actively exploited vulnerabilities in Chrome represent significant security risks with potential implications for millions of users worldwide.
This latest zero-day is part of a steady stream of critical browser flaws uncovered in 2025. Previous Chrome zero-days addressed this year include multiple type confusion and memory corruption vulnerabilities in V8 and related components, several of which were also discovered by TAG or Google's internal research teams. The regular targeting of Chrome's JavaScript engine highlights both its complexity and its attractiveness as an attack surface.
To mitigate the risk of exploitation, users are strongly advised to update Chrome to the latest stable version as soon as possible. This can be done by navigating to Settings > About Chrome, where the browser will automatically check for updates and prompt for a restart once installed. You may also enable automatic updates to receive patches promptly.
Leave a Reply