To fix two security vulnerabilities, one of which has been actively exploited in the wild, Google recently released security patches for its Chrome browser.
The vulnerability in question is CVE-2025-13223 (CVSS score: 8.8), a type misunderstanding flaw in the WebAssembly and V8 JavaScript engines that might be used to cause program crashes or arbitrary code execution.
“Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” the NIST National Vulnerability Database (NVD) describes vulnerability.
The issue was found and reported on November 12, 2025, by Cléo Lecigne of Google’s Threat Analysis Group (TAG). Google has not disclosed any information on the scope of the attacks, who may have been targeted, or who is responsible for them.
Seven zero-day vulnerabilities in Chrome that have either been actively exploited or shown as a proof-of-concept (PoC) since the beginning of the year have been fixed by Google in the most recent update. CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, CVE-2025-6554, CVE-2025-6558, and CVE-2025-10585 are among those in the list.
After CVE-2025-6554 and CVE-2025-10585, CVE-2025-13223 is the third actively exploited type confusion flaw found in V8 this year.
Another type of confusion issue in V8 (CVE-2025-13224, CVSS score: 8.8) that was discovered by Google’s artificial intelligence agent Big Sleep was also fixed as part of this patch.
