Vulnerability in Chrome’s V8 engine actively exploited

Threat summary

On November 17, 2025, Google released Chrome updates to fix two type confusion vulnerabilities in the V8 engine. V8 is an open-source JavaScript and WebAssembly engine developed by the Chromium Project, used in Google Chrome and other Chromium-based browsers.

The vulnerabilities affect Chrome users across Windows, macOS, and Linux platforms running versions prior to:

• v142.0.7444.175/.176 (for Windows)
• v142.0.7444.176 (for macOS)
• v142.0.7444.175 (for Linux)

The latest versions of Chrome have been released worldwide and can be deployed through automatic or manual updates.

One of the flaws was discovered by Google’s Threat Analysis Group (TAG) and confirmed to be exploited in the wild. The issue is tracked as CVE-2025-13223, a type confusion vulnerability that occurs when the engine misinterprets the type of an object, leading to memory corruption. By tricking a user to visit crafted malicious HTML content, threat actors could abuse CVE-2025-13223 to achieve arbitrary code execution. The flaw received a Common Vulnerability Scoring System (CVSS) v3.1 base score of 8.8, indicating high severity.

Some other Chromium-based browsers have released updates to incorporate the latest updates of the Chromium project.

These include:

• Microsoft Edge Stable Channel 142.0.3595.90
• Brave v1.84.141
• Vivaldi 7.7/ 142.0.7444.180
• DuckDuckGo 0.137.4.0

Google has not attributed the exploitation to a specific threat actor. However, TAG’s involvement suggests potential links to government-backed campaigns. TAG frequently investigates spyware operations targeting journalists, dissidents, and political figures.

Analyst insight

Out-of-date browsers could become targets of exploitation, increasing the threat surface of an organization. Since browser-based vulnerabilities continue to be a viable entry point for advanced threat actors, timely patching and browser governance remain critical to reducing risk.

Organizations should confirm that all Chrome installations are updated to the latest version. Enterprise environments can enforce update policies through centralized configuration management. Desktop users on Windows, Mac, and Linux can manually update Chrome by navigating to Settings → Help → About Google Chrome.

For other Chromium-based browsers, refer to the vendor's documentation for instructions on how to update to the latest version. Many browsers rely on the Chromium engine but do not consistently update to the latest Chromium version or publicly report update timelines. This creates a broad and often overlooked attack surface.

In addition to mainstream browsers like Chrome and Edge, there are mobile browsers, regional browsers in non-English markets such as 360, Cốc Cốc, QQ, and Yandex, and niche browsers like Atlas, Ecosia, and DuckDuckGo. These may also lag behind in updating to the latest Chromium versions.

As AI-driven (Chromium-based) browsing tools like ChatGPT Atlas become more common in enterprise environments, it's important to conduct regular audits to identify all browser types in use. Visibility into browser diversity and update status is essential for maintaining a secure posture across endpoints.

Field Effect MDR monitors for suspicious browser activity and detects attempts to exploit known vulnerabilities. If vulnerable systems are identified, Field Effect MDR users will receive an alert through ARO.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up