Google Chrome Users Urged to Patch Immediately: High Severity Vulnerability Exploited in the Wild

Google has released an emergency security update for its Chrome browser, addressing a high-severity vulnerability that is actively being exploited in the wild. The vulnerability, identified as CVE-2025-13223, is a "type confusion" flaw found in Chrome's V8 JavaScript engine. Google is aware that an exploit for CVE-2025-13223 exists in the wild.

This type of flaw occurs when the V8 engine misinterprets a block of memory, which can lead to system crashes and arbitrary code execution. Successful exploitation could allow attackers to corrupt the software's memory and execute malicious code on a user's system. According to the National Institute of Standards and Technology (NIST), the flaw can allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This suggests that attackers might be using malicious websites or phishing emails to circulate the exploit.

Given the severity of the vulnerability, the Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-13223 to its Known Exploited Vulnerabilities (KEV) catalog. CISA has mandated that federal agencies update their Chrome browsers by December 10, 2025, or discontinue using the product. While this directive is specifically for federal staff, CISA recommends that all Chrome users update their browsers immediately to protect against potential attacks.

Google has released Chrome version 142.0.7444.175/.176 for Windows, 142.0.7444.176 for Mac, and 142.0.7444.175 for Linux to address this vulnerability. Users are advised to update their Chrome browsers to these versions as soon as possible.

To update Chrome, users can navigate to Chrome menu > Help > About Google Chrome. Chrome will automatically check for updates and download the latest version. Users will then need to relaunch the browser to apply the update.

While Google has not yet shared specific details about the attacks exploiting this vulnerability, their Threat Analysis Group (TAG) is actively investigating the issue. TAG typically tracks spyware and nation-state attackers who abuse zero-day vulnerabilities for espionage. Clément Lecigne from Google's TAG discovered and reported CVE-2025-13223 on November 12, 2025.

This is the seventh zero-day vulnerability in Chrome that Google has patched this year. The increasing frequency of these types of vulnerabilities highlights the importance of keeping software up to date.

Google has also issued a second emergency patch for another high-severity type confusion bug in Chrome's V8 engine. This vulnerability, tracked as CVE-2025-13224, was discovered by Google’s LLM-based bug hunting tool Big Sleep. There are no reports of exploitation of CVE-2025-13224.

Users of other Chromium-based browsers, such as Microsoft Edge, Brave, and Opera, should also expect similar updates soon. Microsoft has already released a fix for the Edge browser.

Given the active exploitation of CVE-2025-13223, it is crucial that all Chrome users update their browsers immediately to protect themselves from potential attacks. Delaying the update could leave systems vulnerable to compromise.