Google fixed the seventh Chrome zero-day in 2025

Google fixed the seventh Chrome zero-day in 2025

Pierluigi Paganini
November 18, 2025

Google patched two Chrome flaws, including a V8 type-confusion bug, tracked as including CVE-2025-13223, which was exploited in the wild.

Google released Chrome security updates to address two flaws, including a high-severity V8 type confusion bug tracked as CVE-2025-13223 that has been actively exploited in the wild.

The Chrome V8 engine is Google’s open-source JavaScript and WebAssembly engine, written in C++, that executes code for browsers like Google Chrome and applications like Node.js.

A type confusion issue happens when software misinterprets a piece of memory as the wrong type of object. This confusion can let attackers corrupt memory, crash the program, or execute malicious code. It’s common in C/C++ apps like browsers, where weak memory safety makes such exploits possible.

An attacker can trigger the vulnerability via a crafted HTML page to achieve code execution or lead to crashes.

The flaw impacts the V8 script engine in Google Chrome before 142.0.7444.175.

“Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)” reads the NIST’s advisory.

“Google is aware that an exploit for CVE-2025-13223 exists in the wild.” reads the advisory.

Clément Lecigne of Google’s Threat Analysis Group (TAG) reported the vulnerability on November 12, 2025. Google’s TAG team investigates attacks by nation-state actors and commercial spyware vendors. One of these threat actors likely exploited the issue in the wild. As usual, Google has not shared any details on the attacks exploiting this vulnerability.

The IT giant also addressed the vulnerability CVE-2025-13224, which is a Type Confusion in V8. Google discovered the vulnerability using its Big Sleep on October 9, 2025.

Users should update Chrome to version 142.0.7444.175/.176, depending on their OS and relaunch to apply fixes.

CVE-2025-13223 is the seventh Chrome zero-day vulnerability that has been actively exploited in the wild in 2025. The other zero-day flaws addressed by Google this year are:

• CVE-2025-10585 – The vulnerability is a type confusion issue in the V8 JavaScript and WebAssembly engine.
• CVE-2025-6558 – The vulnerability is an insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157 that can allow a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
• CVE-2025-5419 – The vulnerability is an out-of-bounds read and write in the V8 JavaScript engine in Google Chrome prior. An attacker can exploit the flaw to trigger a heap corruption via a crafted HTML page. The flaw is actively exploited in the wild.
• CVE-2025-4664 – The vulnerability is a Chrome browser vulnerability that could lead to full account takeover. Google is aware that an exploit for CVE-2025-5419 exists in the wild.
• CVE-2025-2783 – The vulnerability is an incorrect handle provided in unspecified circumstances in Mojo on Windows. Kaspersky researchers Boris Larin (@oct0xor) and Igor Kuznetsov (@2igosha) reported the vulnerability on March 20, 2025. Google released out-of-band fixes to address the high-severity security vulnerability in the Chrome browser for Windows. The flaw was actively exploited in attacks targeting organizations in Russia.
• CVE-2025-6554 – The vulnerability is a type-confusing issue that resides in the V8 JavaScript and WebAssembly engine.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon