Google Chrome V8 “type-confusion” zero-day vulnerabilities (CVE-2025-13223 & CVE-2025-13224)

On 17 November 2025, Google released an out-of-cycle security update for Chrome to address two high-severity flaws in its V8 JavaScript/WebAssembly engine. The first, CVE-2025-13223, was discovered by Clément Lecigne of Google’s Threat Analysis Group (TAG) and is already confirmed to be exploited in the wild. The second, CVE-2025-13224, while not yet publicly known to be exploited, is a near-identical type confusion vulnerability discovered internally. Both vulnerabilities could allow a remote, unauthenticated attacker to gain code execution inside the Chrome browser process simply by convincing a user to visit a malicious webpage.

Technical details

CVE-2025-13223 and CVE-2025-13224 are type-confusion vulnerabilities in V8, the engine responsible for executing JavaScript and WebAssembly inside Chrome. Type confusion occurs when the engine incorrectly assumes the type of an object at runtime. In the context of V8, this means the browser can be manipulated into treating a specific memory object as something else, which can corrupt the browser’s heap memory.

When the heap corruption caused by type confusion is controlled by an attacker, it becomes possible to influence how the browser decides what code to run next. In practice, this means the attacker can redirect execution and run their own code inside the Chrome process. Google has confirmed that CVE-2025-13223 is already being exploited in the wild. A carefully crafted malicious webpage is enough to trigger the vulnerability – no interaction, authentication or file download is required.

CVE-2025-13224 shares the same underlying flaw but was found earlier by Google’s internal automated vulnerability discovery system, “Big Sleep”. Public exploitation has not been confirmed, but due to the shared root cause and attack surface, the second vulnerability represents an equally serious risk until fully patched.

Because V8 powers not only Chrome but many Chromium-based browsers, the attack surface extends across multiple operating systems and environments such as Windows, macOS and Linux. Although no sandbox-escape chain has been published publicly, this type of memory corruption issue is commonly used as the first stage of a deeper compromise.

Impact summary

The zero-day permits remote code execution inside the browser simply through a webpage visit, giving an attacker control over the Chrome process. In this state, an attacker may be able to steal session cookies and credentials stored by the browser, access sensitive application data during authenticated sessions, install further malware via the browser, or pivot deeper into the network if combined with additional privilege-escalation or sandbox-escape vulnerabilities.

Mitigating the vulnerability

Both CVE-2025-13223 and CVE-2025-13224 have been fully addressed in the latest Chrome Stable Channel release for Windows, macOS and Linux, and applying this update is the only reliable way to remove exposure to active exploitation.

Organisations should ensure that all systems running Chrome are updated to the patched build and that automatic updates are functioning correctly across managed devices. Because other Chromium-based browsers such as Microsoft Edge, Brave, Opera and Vivaldi also rely on the same V8 engine, equivalent vendor updates should be applied as soon as they are released in order to prevent similar exploitation paths through alternative browsers.

Fixed versions

Chrome 142.0.7444.175 for Linux
Chrome 142.0.7444.176 for macOS
Chrome 142.0.7444.175/.176 for Windows

For environments where immediate patching is not possible, there are no practical workarounds that fully prevent exploitation. Temporary measures such as isolating high-risk administrative accounts, reducing general internet access on sensitive systems, or monitoring for abnormal browser process activity may help reduce the likelihood of compromise, but these should only be treated as short-term risk reduction while the patch is rolled out. Installing the patched version of Chrome is the only reliable way to prevent exploitation of these vulnerabilities.

How can Sentrium help?

Sentrium offer vulnerability assessment and penetration testing services that can support you in identifying vulnerable browser deployments and endpoint systems across your environments. Start your assessment today by completing our pentest scoping form or get in touch with our team to find out more about our penetration testing services.