Google Releases Patch for Actively Exploited Chrome V8 Zero-Day
On 17 November, Google has released an emergency security update for Chrome to patch two vulnerabilities, including an actively exploited zero-day in the V8 JavaScript engine.
The zero-day, CVE-2025-13223 (CVSS 8.8), is a type confusion flaw in Chrome’s V8 JavaScript and WebAssembly engine. Successful exploitation could allow attackers to achieve arbitrary code execution or cause the browser to crash. According to the NIST NVD description, the bug could be triggered through a maliciously crafted HTML page and may lead to heap corruption.
The vulnerability was discovered and reported by Clément Lecigne of Google’s Threat Analysis Group (TAG) on November 12, 2025. While Google confirmed that the exploit is being used in the wild, it has not disclosed who is behind the attacks, who is being targeted, or the scale of the campaign.
With this patch, Google has now fixed seven zero-day vulnerabilities in Chrome this year that were either actively exploited or released as proof-of-concepts. Previous zero-days include CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, CVE-2025-6554, CVE-2025-6558, and CVE-2025-10585.
CVE-2025-13223 is also the third actively exploited type confusion flaw in V8 this year.
Google also addressed a second V8 issue, CVE-2025-13224 (CVSS 8.8), another type confusion bug identified by the company’s AI agent, Big Sleep.
Users are strongly urged to update Chrome to the latest versions:
- Windows: 142.0.7444.175/.176
- macOS: 142.0.7444.176
- Linux: 142.0.7444.175
Sources:
