Chrome Type Confusion Zero-Day Vulnerability Actively Exploited in the Wild

Google has rushed out a critical update for its Chrome browser to address a zero-day vulnerability actively exploited in the wild, urging users to update immediately to mitigate the risk posed by sophisticated attackers.

The patch, rolled out in Chrome Stable version 142.0.7444.175 for Windows and Linux, and 142.0.7444.176 for Mac, fixes two high-severity type confusion bugs in the V8 JavaScript engine.

The most alarming is CVE-2025-13223, reported on November 12, 2025, by Clément Lecigne of Google’s Threat Analysis Group (TAG).

Google confirmed an exploit for this flaw is already circulating, potentially allowing remote attackers to execute arbitrary code on victims’ systems without interaction.

Type confusion vulnerabilities, a staple in browser exploits, occur when the V8 engine misinterprets data types, leading to memory corruption. This can enable attackers to bypass Chrome’s sandbox protections, steal sensitive information, or install malware.

The second fix, CVE-2025-13224, was identified earlier on October 9, 2025, by Google’s internal Big Sleep fuzzing tool, highlighting the company’s proactive defense layers, reads the advisory.

TAG’s involvement suggests possible ties to advanced persistent threats (APTs), as the group often tracks state-sponsored operations using such flaws for espionage or supply chain attacks.

This incident underscores Chrome’s dominance as a target, as over 65% of global browsers run the engine, making timely patches essential.

Google credits tools like AddressSanitizer and libFuzzer for early detection, but the rapid exploitation timeline, from report to wild use in under a week, raises questions about attribution. Users should enable automatic updates and avoid suspicious links.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.