Key Findings

• Google released security updates for Chrome to address two security flaws, including one that is being actively exploited in the wild.

• The actively exploited vulnerability is CVE-2025-13223, a type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could lead to arbitrary code execution or program crashes.

• Clément Lecigne of Google's Threat Analysis Group (TAG) discovered and reported the flaw on November 12, 2025.

• Google has not provided details on who is behind the attacks or who may have been targeted.

• CVE-2025-13223 is the third actively exploited type confusion bug discovered in V8 this year.

Background

• Google's Chrome browser is one of the most widely used web browsers, with a significant user base.

• The V8 JavaScript and WebAssembly engine is a critical component of Chrome, responsible for executing JavaScript and WebAssembly code.

• Type confusion vulnerabilities in the V8 engine have been a recurring issue, as they can lead to serious security consequences, including arbitrary code execution.

Details on the Vulnerabilities

• CVE-2025-13223 is a type confusion vulnerability in the V8 engine that could be exploited to achieve arbitrary code execution or program crashes.

• Google has confirmed that an exploit for CVE-2025-13223 exists in the wild, indicating that it is actively being exploited.

• In addition to CVE-2025-13223, Google also patched another type confusion vulnerability in V8 (CVE-2025-13224), which was flagged by its AI agent, Big Sleep.

• Both CVE-2025-13223 and CVE-2025-13224 have a CVSS score of 8.8, indicating a high severity.

Mitigating the Threats

• Google has released security updates for Chrome to address these vulnerabilities, and users are advised to update their browsers to the latest versions:

• Windows: 142.0.7444.175/.176

• macOS: 142.0.7444.176

• Linux: 142.0.7444.175

• Users can navigate to "More > Help > About Google Chrome" and select "Relaunch" to ensure the latest updates are installed.

• Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to apply the fixes as they become available.

Conclusion

The discovery of an actively exploited Chrome zero-day vulnerability in the V8 engine is a significant security concern. Google's prompt response in releasing a security update to address the issue is commendable, and users should prioritize updating their browsers to stay protected against this threat.

Sources

• https://thehackernews.com/2025/11/google-issues-security-fix-for-actively.html

• https://securityonline.info/google-patches-actively-exploited-chrome-zero-day-flaw-cve-2025-13223-in-emergency-update/

• https://www.itsecuritynews.info/google-issues-security-fix-for-actively-exploited-chrome-v8-zero-day-vulnerability/

• https://www.msn.com/en-gb/money/technology/google-quietly-released-a-security-fix-for-a-worrying-chrome-zero-day-flaw-so-patch-now/ar-AA1G649C?apiversion=v2&noservercache=1&domshim=1&renderwebcomponents=1&wcseo=1&batchservertelemetry=1&noservertelemetry=1