CVE-2025-12428
published 2025-11-10CVE-2025-12428: Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium…
PriorityP261high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
6.81%
93.2th percentile
Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 142.0.7444.59-1~deb12u1 | 142.0.7444.59-1~deb12u1 |
| chromium | chromium | >= 0 < 142.0.7444.59-1~deb13u1 | 142.0.7444.59-1~deb13u1 |
| chromium | chromium | >= 0 < 142.0.7444.59-1 | 142.0.7444.59-1 |
| debian | chromium | < chromium 142.0.7444.59-1~deb12u1 (bookworm) | chromium 142.0.7444.59-1~deb12u1 (bookworm) |
| chrome | < 142.0.7444.59 | 142.0.7444.59 | |
| chrome | >= 142.0.7444.59 < 142.0.7444.59 | 142.0.7444.59 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
| paloalto | prisma_browser | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is triggered via a crafted HTML page delivering a V8 Type Confusion exploit; monitor for suspicious or unexpected JavaScript/HTML content targeting Chrome/Edge browsers below the fixed version. ↗
- ·Debian 'bullseye' remains unpatched/open for this CVE; systems running that release are still vulnerable and should be prioritised for upgrade or mitigation. ↗
- ·The fixed Chromium version for Debian stable (bookworm) is 142.0.7444.59-1~deb12u1; ensure package versions are at or above this level before marking hosts as remediated. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2025-0018 Chromium and Prisma Browser: Monthly Vulnerability Update (November 2025)
vendor_paloalto·2025-11-12·CVSS 8.8
CVE-2025-12428 [HIGH] PAN-SA-2025-0018 Chromium and Prisma Browser: Monthly Vulnerability Update (November 2025)
PAN-SA-2025-0018 Chromium and Prisma Browser: Monthly Vulnerability Update (November 2025)
Palo Alto Networks incorporated the following Chromium security fixes into our products: https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_28.html CVE CVSS Summary CVE-2025-12428 Type Confusion in V8 CVE-2025-12429 Inappropriate implementation in V8 CVE-2025-12430 Object lifecycle issue in Media CVE-2025-12431 Inappropriate implementation in Extensions CVE-2025-12432 Race in V8 CVE-2025-12433 Inappropriate implementation in V8 CVE-2025-12036 Inappropriate implementation in V8 CVE-2025-12434 Race in Storage CVE-2025-12435 Incorrect security UI in Omnibox CVE-2025-12436 Policy bypass in Extensions CVE-2025-12437 Use after free in PageInfo CVE-2025-12438 Use after free in
Chrome
Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2025-12428
vendor_chrome·2025-11-11·CVSS 8.8
CVE-2025-12428 [HIGH] Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2025-12428
Stable Channel Update for ChromeOS / ChromeOS Flex
CVE-2025-12428
Red Hat
chromium-browser: Type Confusion in V8
vendor_redhat·2025-11-10·CVSS 8.8
CVE-2025-12428 [HIGH] CWE-843 chromium-browser: Type Confusion in V8
chromium-browser: Type Confusion in V8
Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)
Statement: Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.
Microsoft
Chromium: CVE-2025-12428 Type Confusion in V8
vendor_msrc·2025-10-14·CVSS 8.8
CVE-2025-12428 [HIGH] Chromium: CVE-2025-12428 Type Confusion in V8
Chromium: CVE-2025-12428 Type Confusion in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ: What is the version information for this release?
Microsoft Edge Version
Date Released
Based on Chromium Version
142.0.3595.53
10/31/2025
142.0.7445.59/.60
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In y
Debian
CVE-2025-12428: chromium - Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote at...
vendor_debian·2025·CVSS 8.8
CVE-2025-12428 [HIGH] CVE-2025-12428: chromium - Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote at...
Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)
Scope: local
bookworm: resolved (fixed in 142.0.7444.59-1~deb12u1)
bullseye: open
forky: resolved (fixed in 142.0.7444.59-1)
sid: resolved (fixed in 142.0.7444.59-1)
trixie: resolved (fixed in 142.0.7444.59-1~deb13u1)
GHSA
GHSA-288v-g9g4-jh8r: Type Confusion in V8 in Google Chrome prior to 142
ghsa_unreviewed·2025-11-10
CVE-2025-12428 [HIGH] CWE-843 GHSA-288v-g9g4-jh8r: Type Confusion in V8 in Google Chrome prior to 142
Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)
OSV
CVE-2025-12428: Type Confusion in V8 in Google Chrome prior to 142
osv·2025-11-10·CVSS 8.8
CVE-2025-12428 [HIGH] CVE-2025-12428: Type Confusion in V8 in Google Chrome prior to 142
Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)
No detection rules found.
No public exploits indexed.
2025-11-10
Published