EXECUTIVE SUMMARY:
A critical type-confusion vulnerability has been identified in Google Chrome’s V8 JavaScript engine, tracked as CVE-2025-13223 and CVE-2025-13224. These flaws allow remote attackers to achieve memory corruption and potentially execute arbitrary code simply by luring a user to a malicious webpage, posing serious risk to all Chrome users across Windows, macOS, and Linux.
- CVE-2025-13223: A high-severity zero-day type-confusion flaw in the V8 engine that can lead to heap corruption during JavaScript execution. By embedding specially crafted JavaScript in a webpage, an attacker can trigger out-of-bounds memory operations, enabling arbitrary code execution within the browser’s sandbox. This vulnerability has been confirmed as actively exploited in the wild. The flaw allows drive-by compromise with no further user interaction. CVSS v3.1 score is 8.8 (High).
- CVE-2025-13224: Another type-confusion bug in V8, also capable of inducing memory corruption through incorrect type handling during script optimization. While exploitation has not yet been publicly confirmed, the flaw carries similar risks—including code execution, browser compromise, and potential sandbox escapes when paired with additional vulnerabilities. It remains a high-impact issue requiring urgent remediation. CVSS v3.1 score is 8.8 (High).
Exploitation of these vulnerabilities can allow attackers to fully compromise the browser session, deploy malicious payloads, steal authentication tokens, or escalate into broader system compromise in targeted environments.
RECOMMENDATION:
- We strongly recommend you update Google Chrome to versions 142.0.7444.175/.176 on Windows, 142.0.7444.176 on macOS, and 142.0.7444.175 on Linux or later.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/google-patches-actively-exploited-chrome-zero-day-flaw-cve-2025-13223-in-emergency-update/
