More work for admins as Google patches latest zero-day Chrome vulnerability

For the third time in recent months, Google has found itself scrambling to fix a potentially serious zero-day flaw in the Chrome browser’s V8 JavaScript engine.

Addressed on Monday as part of an emergency ‘out-of-band’ patch, the vulnerability identified as CVE-2025-13223 was discovered by Clément Lecigne of Google’s in-house Threat Analysis Group (TAG).

At some point, the company also uncovered evidence that the flaw, rated ‘high’ with a CVSS score of 8.8, was being exploited in the wild.

As is customary to avoid giving other threat groups clues, Google’s advisory offers no detail on this discovery, merely stating: “Google is aware that an exploit for CVE-2025-13223 exists in the wild.”

Type confusion

The vulnerability description is just as sparse, mentioning only that the vulnerability is a Type Confusion flaw affecting the V8 JavaScript engine. This is a core element not only of Chrome, but also other Chromium-based browsers, including Microsoft Edge, Brave, and Opera.

The latter point is significant given that Chromium browsers are by some distance the most widely used consumer and business browsers in the world. Not surprisingly, Google added the following boilerplate statement to its latest advisory:

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”

In the case of third-party apps, that could take some time. In short, don’t hold your breath if you’re expecting a more detailed explanation of CVE-2025-13223.

The V8 engine was introduced by Google in 2008 to speed up JavaScript, a C++ scripting technology fundamental to modern web technology. Type Confusion is a class of vulnerability that in this type of C-coded component can cause memory corruption, out-of-bounds access, and in the worst-case scenario, code execution.

This raises the possibility that CVE-2025-13223 can be exploited without user interaction by luring a user to a booby-trapped website. Google’s advisory doesn’t say, while the National Vulnerability (NVD) entry says only: “Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.” However, given that many V8 engine vulnerabilities make this kind of exploit possible, security administrators should assume it is a risk and patch Chrome as a priority.

Enterprise updating

The latest update also addresses a separate Type Confusion vulnerability in the V8 engine, CVE-2025-13224, also rated as ‘high’ priority. So far, there is no indication that this is under exploit.

Enterprise customers can address both flaws by updating to Chrome version 142.0.7444.175/.176 for Windows, version 142.0.7444.176 for Mac, and version 142.0.7444.175 for Linux.

Normally, enterprises patch every eight weeks on the Extended Stable Channel (ESC), allowing plenty of time for testing. In contrast, patches for zero-day vulnerabilities will usually be applied manually within days.

“For enterprise admins, the toll is real, because zero days mean a sweaty scramble to get fast patching and testing. And because Chrome updates come without real warning, hard and often, teams don’t get a break,” commented Zbyněk Sopuch, CTO of risk management company Safetica.

“The pattern here is that shared components multiply the blast radius, and until the wider community patches in an organized way, V8 stays one of the ripest targets in the room,” he added.

Attackers are always looking for ways to target V8, he said, because it allows them to “aim at the entire beehive. Admins are lying awake at night because of Chrome and the unknown list of apps that quietly run the same engine.”

Chrome has suffered two other confirmed zero days in the V8 engine in 2025, from a tally of seven across Chrome as a whole. The V8 flaws were CVE-2025-5419 in June and CVE-2025-10585 in September. Seven zero days sounds like a lot, but the annual count has been around this level for some time.