CVE-2025-13223
published 2025-11-17CVE-2025-13223: Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page…
PriorityP187high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-12-10
Exploited in the wild
EPSS
4.83%
90.9th percentile
Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 142.0.7444.175-1~deb12u1 | 142.0.7444.175-1~deb12u1 |
| chromium | chromium | >= 0 < 142.0.7444.175-1~deb13u1 | 142.0.7444.175-1~deb13u1 |
| chromium | chromium | >= 0 < 142.0.7444.175-1 | 142.0.7444.175-1 |
| debian | chromium | < chromium 142.0.7444.175-1~deb12u1 (bookworm) | chromium 142.0.7444.175-1~deb12u1 (bookworm) |
| chrome | < 142.0.7444.175 | 142.0.7444.175 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
| paloalto | prisma_browser | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-13223 is actively exploited in the wild via crafted HTML pages triggering V8 type confusion leading to heap corruption; monitor for exploitation attempts delivered through web browsing. ↗
- →The vulnerability is exploitable remotely via a crafted HTML page — monitor for suspicious or anomalous Chrome/Chromium renderer process crashes or heap corruption signals. ↗
- →CISA has added this to the Known Exploited Vulnerabilities catalog with a remediation due date of 2025-12-10; treat any unpatched Chrome/Chromium V8 instance as actively at risk. ↗
- →A public proof-of-concept and active exploitation have been reported; prioritize detection of Chrome versions prior to 142.0.7444.175 in the environment. ↗
- ·The fix is confirmed in Chrome stable channel 142.0.7444.175 and later; Debian bullseye remains unresolved/open as of the tracker. ↗
- ·Microsoft Edge (Chromium-based) is also affected as it ingests Chromium; the patched Edge version is 142.0.3595.90. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2026-0001 Chromium: Monthly Vulnerability Update (January 2026)
vendor_paloalto·2026-01-14·CVSS 8.8
[HIGH] PAN-SA-2026-0001 Chromium: Monthly Vulnerability Update (January 2026)
PAN-SA-2026-0001 Chromium: Monthly Vulnerability Update (January 2026)
Palo Alto Networks incorporated the following Chromium security fixes into our products: https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop.html https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_18.html https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_16.html https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_10.html https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop.html https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_17.html https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_11.html https://chromereleases.google
Chrome
Long Term Support Channel Update for ChromeOS: CVE-2025-13223
vendor_chrome·2025-11-21·CVSS 7.0
CVE-2025-13223 [HIGH] Long Term Support Channel Update for ChromeOS: CVE-2025-13223
Long Term Support Channel Update for ChromeOS
CVE-2025-13223: Type Confusion in V8. And also CVE-2025-21700, CVE-2025-21703, CVE-2025-21702, CVE-2025-21756, CVE-2025-21971, CVE-2025-21703, CVE-2025-21971, CVE-2025-37798, CVE-2025-37756, CVE-2025-37752, CVE-2025-21836, CVE-2024-27397 Release notes for LTS-138 can be found here Want to know more about Long-term Support? Click here Andy Wu Google Chrome OS
Severity: high
CISA
Google Chromium V8 Type Confusion Vulnerability
cisa·2025-11-19·CVSS 8.8
CVE-2025-13223 [HIGH] CWE-843 Google Chromium V8 Type Confusion Vulnerability
Vulnerability: Google Chromium V8 Type Confusion Vulnerability
Affected: Google Chromium V8
Google Chromium V8 contains a type confusion vulnerability that allows for heap corruption.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_17.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-13223
Remediation Due Date: 2025-12-10
Red Hat
chromium-browser: Type Confusion in V8
vendor_redhat·2025-11-17·CVSS 8.8
CVE-2025-13223 [HIGH] CWE-843 chromium-browser: Type Confusion in V8
chromium-browser: Type Confusion in V8
Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Statement: Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.
Microsoft
Chromium: CVE-2025-13223 Type Confusion in V8
vendor_msrc·2025-11-11·CVSS 8.8
CVE-2025-13223 [HIGH] Chromium: CVE-2025-13223 Type Confusion in V8
Chromium: CVE-2025-13223 Type Confusion in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware that an exploit for CVE-2025-13223 exists in the wild.
FAQ: What is the version information for this release?
Microsoft Edge Version
Date Released
Based on Chromium Version
142.0.3595.90
11/18/2025
142.0.7444.176
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is n
Debian
CVE-2025-13223: chromium - Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote a...
vendor_debian·2025·CVSS 8.8
CVE-2025-13223 [HIGH] CVE-2025-13223: chromium - Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote a...
Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Scope: local
bookworm: resolved (fixed in 142.0.7444.175-1~deb12u1)
bullseye: open
forky: resolved (fixed in 142.0.7444.175-1)
sid: resolved (fixed in 142.0.7444.175-1)
trixie: resolved (fixed in 142.0.7444.175-1~deb13u1)
GHSA
GHSA-fvx3-7348-92qj: Type Confusion in V8 in Google Chrome prior to 142
ghsa_unreviewed·2025-11-18
CVE-2025-13223 [HIGH] CWE-843 GHSA-fvx3-7348-92qj: Type Confusion in V8 in Google Chrome prior to 142
Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
OSV
CVE-2025-13223: Type Confusion in V8 in Google Chrome prior to 142
osv·2025-11-17·CVSS 8.8
CVE-2025-13223 [HIGH] CVE-2025-13223: Type Confusion in V8 in Google Chrome prior to 142
Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
VulnCheck
Google Chromium V8 Type Confusion Vulnerability
vulncheck·2025·CVSS 8.8
CVE-2025-13223 [HIGH] CWE-843 Google Chromium V8 Type Confusion Vulnerability
Google Chromium V8 Type Confusion Vulnerability
Google Chromium V8 contains a type confusion vulnerability that allows for heap corruption.
Affected: Google Chromium V8
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_17.html; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.recordedfuture.com/blog/november-2025-cve-landscape; https://falconfeeds.io/blogs/lazarus-constellation-dprk-cyber-warfare-intelligence-dossier
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Google fixes eighth Chrome zero-day exploited in attacks in 2025
blogs_bleepingcomputer·2025-12-11·CVSS 9.8
[CRITICAL] Google fixes eighth Chrome zero-day exploited in attacks in 2025
## Google fixes eighth Chrome zero-day exploited in attacks in 2025
## Sergiu Gatlan
The company has now fixed this high-severity vulnerability for users in the Stable Desktop channel, with new versions rolling out worldwide to Windows (143.0.7499.109), macOS (143.0.7499.110), and Linux users (143.0.7499.109).
While the security patch could take days or weeks to reach all users, according to Google, it was immediately available when BleepingComputer checked for updates earlier today.
If you prefer not to update manually, you can also let your web browser check for updates automatically and install them after the next launch.
Although Google didn't share any other details about this zero-day bug, including the CVE ID used to track it, and said it's still "under coordination."
"Access
Checkpoint
24th November – Threat Intelligence Report
blogs_checkpoint·2025-11-24
CVE-2025-58034 24th November – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 24th November – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 24th November, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The notorious “Scattered LAPSUS$ Hunters” group claimed responsibility for a supply-chain attack involving the Salesforce-integrated platform Gainsight. The group stated that data from 300 organizations was compromised, including Verizon, GitLab and Atlassian. Salesforce has confirmed unusual activity related to Gainsig
Bleepingcomputer
Google fixes new Chrome zero-day flaw exploited in attacks
blogs_bleepingcomputer·2025-11-18·CVSS 9.8
[CRITICAL] Google fixes new Chrome zero-day flaw exploited in attacks
## Google fixes new Chrome zero-day flaw exploited in attacks
## Sergiu Gatlan
Google fixed the zero-day flaw with the release of 142.0.7444.175/.176 for Windows, 142.0.7444.176 for Mac, and 142.0.7444.175 for Linux.
While these new versions are scheduled to roll out to all users in the Stable Desktop channel over the coming weeks, the patch was immediately available when BleepingComputer checked for the latest updates.
Although the Chrome web browser updates automatically when security patches are available, users can also confirm they're running the latest version by going to Chrome menu > Help > About Google Chrome, letting the update finish, and then clicking on the 'Relaunch' button to install it.
Although Google has already confirmed that CVE-2025-13223 was used in attacks, i
Recorded Future
November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
blogs_recorded_future·CVSS 5.4
CVE-2025-64446 [MEDIUM] November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
# November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
November 2025 saw a significant 69% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 10 vulnerabilities requiring immediate attention, down from 32 in October.
What security teams need to know:
- Fortinet leads concerns: Two critical FortiWeb vulnerabilities (CVE-2025-64446 and CVE-2025-58034) are under active exploitation
- LANDFALL spyware campaign: Threat actors weaponized Samsung's image processing flaw (CVE-2025-21042) for zero-click Android attacks
- Public exploits proliferate: Seven of ten vulnerabilities have public proof-of-concept code available
- OS Command Injection and Out-of-bounds Write were tied as the most common weakness types
Bottom line: Th
2025-11-17
Published
2025-11-19
Added to CISA KEV
Exploited in the wild