Google patches yet another exploited Chrome zero-day (CVE-2025-13223)

Google has shipped an emergency fix for a Chrome vulnerability (CVE-2025-13223) reported as actively exploited in the wild by its Threat Analysis Group (TAG).

About CVE-2025-13223

CVE-2025-13223 is a type confusion vulnerability in V8, the JavaScript and WebAssembly engine used by Chrome and Chromium-based browsers.

The flaw allows remote attackers to exploit heap corruption via a specially crafted HTML page, and can lead to unauthorized actions such as accessing sensitive data. For the exploit to have a chance to work, targets must be tricked into visiting such a page.

CVE-2025-13223 and a second V8 type-confusion flaw, CVE-2025-13224, have been fixed in Chrome:

• v142.0.7444.175/.176 (for Windows)
• v142.0.7444.176 (for macOS)
• v142.0.7444.175 (for Linux)

CVE-2025-13223 was reported by Clément Lecigne of Google TAG, and CVE-2025-13224 was discovered by Big Sleep, Google’s autonomous AI-powered system for automated vulnerability research.

Zero-days affecting V8 are often exploited by attackers: in 2025 alone, Google fixed several of them after TAG researchers flagged related abuse.

Updates are available/incoming

Google says that the fixed Chrome versions will roll out over the coming days/weeks.

The browser is updated automatically once updates become available, but you can also manually trigger the update to a fixed version (go to Settings -> About Chrome) and then relaunch the application to finalize the upgrade.

Chromium-based browsers like Microsoft Edge, Brave, and Opera are expected to get these fixes soon, and Vivaldi maintainers have already delivered a fix for CVE-2025-13223.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!