Google has issued urgent security updates for its Chrome browser to patch two critical vulnerabilities, including a zero-day flaw that is actively being exploited by attackers. The company announced the release on Monday, November 18, 2025, urging users to update immediately to prevent potential compromises. This latest patch addresses a significant security risk, highlighting the ongoing cat-and-mouse game between browser developers and malicious actors.
The most critical of the two vulnerabilities is designated CVE-2025-13223, a high-severity type confusion flaw within Chrome’s V8 JavaScript and WebAssembly engine. This vulnerability carries a CVSS score of 8.8 and could allow remote attackers to execute arbitrary code or cause program crashes on user devices. The NVD describes the flaw as enabling a remote attacker to potentially exploit heap corruption via a specially crafted HTML page.
Chrome Addresses Actively Exploited Zero-Day Vulnerability
Google’s Threat Analysis Group (TAG) credited Clément Lecigne with discovering and reporting CVE-2025-13223 on November 12, 2025. While Google confirmed that an exploit for this vulnerability “exists in the wild,” they have not disclosed specific details regarding the perpetrators, the individuals or organizations targeted, or the scope of these ongoing attacks. This lack of detail underscores the clandestine nature of such exploits.
This marks the seventh zero-day flaw in Chrome that has either seen active exploitation or has been demonstrated as a proof-of-concept (PoC) since the beginning of 2025. Other addressed vulnerabilities include CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, CVE-2025-6554, CVE-2025-6558, and CVE-2025-10585. The recurring nature of these vulnerabilities in the V8 engine is a growing concern for browser security.
Notably, CVE-2025-13223 is the third type confusion bug discovered in the V8 engine this year that has been actively exploited, following similar issues identified in CVE-2025-6554 and CVE-2025-10585. The repeated exploitation of this component within the V8 engine suggests a persistent area of weakness that attackers are continuing to target.
Second Vulnerability Discovered by AI
In addition to the actively exploited zero-day, Google’s update also patches another type confusion vulnerability within the V8 engine, identified as CVE-2025-13224. This flaw also carries a significant CVSS score of 8.8. Intriguingly, this second vulnerability was flagged not by human researchers, but by Google’s artificial intelligence (AI) security agent, Big Sleep. The involvement of AI in vulnerability discovery highlights advancements in defensive cybersecurity measures.
To ensure protection against these threats, users are strongly advised to update their Chrome browser to the latest available versions. For Windows users, this means updating to 142.0.7444.175/.176. Apple macOS users should update to 142.0.7444.176, and Linux users to 142.0.7444.175. Users can verify their Chrome version and initiate an update by navigating to More > Help > About Google Chrome, and then selecting the Relaunch option if prompted.
The urgency extends beyond Chrome users. Individuals utilizing other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also encouraged to apply similar security fixes as soon as they become available from their respective browser vendors. These browsers often share underlying code with Chrome, making them potential targets for the same exploits.
Looking ahead, the focus will be on the effectiveness of these patches in mitigating further exploitation of CVE-2025-13223 and its potential impact. Security researchers and organizations will be closely monitoring for any signs of new attack vectors or variations of these vulnerabilities surfacing. The continuous discovery of zero-day exploits emphasizes the need for ongoing vigilance and rapid patching by both software vendors and end-users to maintain a secure digital environment.