A new high-severity zero-day in Google Chrome is being actively exploited to compromise users through malicious websites. The vulnerability, tracked as CVE-2025-13223, is a type confusion flaw in Chrome’s V8 JavaScript engine that allows attackers to trigger memory corruption and execute code on the victim’s machine. Google has released an emergency patch for Windows, macOS, and Linux.
Overview
CVE-2025-13223 is a high-severity V8 type confusion vulnerability that affects all major desktop builds of Google Chrome prior to:
- Windows: 142.0.7444.175 / .176
- macOS: 142.0.7444.176
- Linux: 142.0.7444.175
Type confusion flaws in V8 commonly lead to out-of-bounds memory access, enabling attackers to craft malicious JavaScript that executes arbitrary code within the browser environment. In exploitation chains, these vulnerabilities are often paired with sandbox-escape bugs to gain broader system access.
Google has confirmed in-the-wild exploitation but has not released further details, citing active attacks and the presence of the same vulnerable component in third-party codebases used by Chromium-based browsers such as Edge, Brave, and Opera.
Impact
Exploitation of CVE-2025-13223 allows threat actors to run arbitrary code inside Chrome’s renderer, potentially escape the sandbox, compromise browser sessions, steal authentication tokens, and deploy additional malware through drive-by attacks.
Because exploitation can occur simply by visiting a malicious or compromised site, the risk is immediate, particularly for environments with high web-browsing activity or access to sensitive cloud applications.
Remediation Guidance
All Chrome users should update immediately to the patched version and restart the browser to apply the fix:
Organizations should also:
- Enforce automatic Chrome updates via MDM/endpoint tooling
- Remove unnecessary browser extensions and apply extension-hardening policies
- Rotate credentials for any high-value applications if suspicious browser activity is detected
Users of other Chromium-based browsers like Edge, Opera, Brave, and others should also update as soon as vendor releases are available.
Stay Safe. Stay Secure.
OP Innovate Research Team
