Chrome V8 Zero-Day CVE-2025-13223 – Active Exploit Confirmed, Google Issues Security Fix

A fresh security update from Google has put Chrome users on alert. The company has patched two high-severity vulnerabilities in the browser’s V8 JavaScript engine, one of which (CVE-2025-13223) is already being actively exploited.

Because Chrome runs on billions of devices and powers everything from personal browsing to enterprise workflows, flaws in its JavaScript engine often attract rapid attention from attackers. Here’s what you should know.

What Exactly Did Google Patch in the Latest Update?

Google’s latest update for Chrome (version 142.0.7444.175 on Windows/Linux and 142.0.7444.176 on macOS) includes fixes for two high-severity type confusion vulnerabilities in V8. Both issues were discovered by Google’s internal security teams.

The first flaw, CVE-2025-13223 (CVSS 8.8), is confirmed to be exploited in the wild. Because details are restricted until most users update, only the nature of the bug is known: a type confusion issue that could allow memory to be accessed incorrectly, potentially leading to corruption or unexpected behavior.

Details of CVE-2025-13223 (SOCRadar Vulnerability Intelligence)

The second issue, CVE-2025-13224, stems from a similar class of bug but has not been linked to any ongoing exploitation as of now.

SOCRadar’s Vulnerability Intelligence

SOCRadar’s Cyber Threat Intelligence (CTI) provides timely insights on exploited CVEs and active threat actor activity, helping teams prioritize high‑risk issues such as CVE‑2025‑13223. Combined with Attack Surface Management (ASM), which continuously monitors exposed assets for weaknesses, organizations gain clear visibility into risks that could be targeted.

Why Are Type Confusion Bugs in V8 So Dangerous?

Type confusion flaws occur when code assumes an object is one type when it is actually another. In a complex browser engine like V8, this can be manipulated to trigger heap corruption using crafted JavaScript or HTML.

If attackers successfully exploit this kind of bug:

They may execute arbitrary code within the browser context.
The exploit can sometimes be chained with other weaknesses to escape the sandbox, aiming for deeper system compromise.
Because Chrome is widely used in both consumer and enterprise environments, even a single active exploit can have broad security implications.

Given that CVE-2025-13223 is already the seventh zero‑day patched in Chrome this year, it shows how consistently attackers target the browser’s JavaScript engine. These weaknesses are often leveraged in spear‑phishing, drive‑by downloads, and targeted browser‑based attacks, making strong browser security essential across both enterprise and consumer environments.

What Should Users and Organizations Do Right Now?

The most important action is simple: update Chrome immediately. Chrome will automatically apply updates, but users must restart the browser for patches to take effect. The fastest method is:

Open Settings.
Navigate to About Chrome.
Allow Chrome to check for updates and restart when prompted.

For enterprises managing large fleets:

Confirm that automatic updates are enabled across endpoints.
Prioritize patch validation for the new build (142.0.7444.x) to avoid delays.
Consider monitoring for suspicious activity involving outdated builds, especially if updating may take several days.