Multiple Type Confusion Vulnerabilities in Google Chrome V8 Engine
Google has released security updates for Chrome to address several high-severity type confusion vulnerabilities in the V8 JavaScript engine, including CVE-2025-13223, CVE-2025-13224, CVE-2025-13226, CVE-2025-13228, CVE-2025-13229, and CVE-2025-13230. These vulnerabilities, present in Chrome versions prior to 142.0.7444.175/.176, allow remote attackers to exploit heap corruption via crafted HTML pages, potentially leading to arbitrary code execution or browser crashes. Notably, CVE-2025-13223 has been confirmed as actively exploited in the wild, prompting Google to issue an emergency update and restrict bug details until a majority of users are protected.
Security researchers from Google's Threat Analysis Group and the AI agent Big Sleep were credited with discovering these flaws. Users are strongly advised to update Chrome to the latest stable versions (142.0.7444.175/.176 for Windows, 142.0.7444.176 for macOS, and 142.0.7444.175 for Linux) to mitigate the risk. Other Chromium-based browsers may also be affected and should be updated accordingly. No specific details about the attackers or targets have been disclosed, but the urgency of the update underscores the critical nature of these vulnerabilities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CVE records published for Chrome V8 vulnerabilities in 142.0.7444.59 and earlier
Public CVE entries appeared for multiple Chrome V8 type confusion heap corruption flaws, including CVE-2025-13223, CVE-2025-13224, CVE-2025-13226, CVE-2025-13228, CVE-2025-13229, and CVE-2025-13230. The entries describe remote exploitation via crafted HTML content and recommend updating to patched Chrome versions.
Google discloses additional Chrome V8 flaw CVE-2025-13224
Alongside the zero-day fix, Google also patched CVE-2025-13224, another high-severity V8 type confusion vulnerability. Reporting indicates the bug was discovered using Google's Big Sleep tool.
Google releases emergency Chrome update for exploited CVE-2025-13223
Google released a Stable Channel desktop update to fix CVE-2025-13223, an actively exploited Chrome zero-day in the V8 engine. Users were advised to update to Chrome 142.0.7444.175/.176 to mitigate ongoing attacks.
Google TAG reports Chrome zero-day CVE-2025-13223 to Google
Clément Lecigne of Google's Threat Analysis Group reported CVE-2025-13223, a high-severity V8 type confusion vulnerability that was later confirmed to be exploited in the wild. The exact report date is not provided in the references.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
CVE-2025-13226 - Google Chrome V8 Type Confusion Heap Corruption
cvefeed.io
Open sourceCVE-2025-13229 - Google Chrome V8 Type Confusion Heap Corruption
cvefeed.io
Open sourceCVE-2025-13228 - Google Chrome V8 Type Confusion Heap Corruption
cvefeed.io
Open sourceCVE-2025-13230 - Google Chrome V8 Type Confusion Heap Corruption Vulnerability
cvefeed.io
Open sourceCVE-2025-13223 - Google Chrome V8 Type Confusion Heap Corruption Vulnerability
cvefeed.io
Open sourceCVE-2025-13224 - Google Chrome V8 Type Confusion Heap Corruption Vulnerability
cvefeed.io
Open sourceStable Channel Update for Desktop
chromereleases.googleblog.com
Open sourceGoogle Patches Actively Exploited Chrome Zero-Day Flaw (CVE-2025-13223) in Emergency Update
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google patches multiple Chrome V8 flaws enabling web-based remote code execution
Google released Chrome fixes for multiple high-severity vulnerabilities in the V8 JavaScript engine, including `CVE-2025-10891`, `CVE-2025-10892`, and `CVE-2025-9864`, that could be triggered when a user visits a malicious web page. The flaws include integer overflows and a use-after-free condition that can cause heap corruption in the browser renderer and potentially lead to arbitrary code execution. A related bulletin also lists `CVE-2025-10890`, a V8 side-channel information disclosure issue, alongside the two integer overflow bugs, warning that successful exploitation could expose sensitive data or enable full system compromise. Google said the affected Chrome builds were patched across Windows, macOS, and Linux in the `140.0.7339` release line, with fixes landing in versions including `140.0.7339.80/.81` and later `140.0.7339.207/.208` depending on the flaw and platform. Several of the vulnerabilities were reportedly identified by Google’s AI-based Big Sleep system, and no public proof-of-concept exploits were cited in the referenced reports. Organizations using Chrome or Chromium-based browsers were urged to deploy the vendor updates promptly because the bugs are reachable through routine web browsing and may also affect downstream browsers that have not yet incorporated the upstream patches.
Jun 12, 2026
Chrome Zero-Day Vulnerability CVE-2025-13223 Exploited in the Wild
Google has released an emergency security update to address CVE-2025-13223, a critical zero-day vulnerability in the V8 JavaScript engine used by Chrome and Chromium-based browsers. This type confusion flaw, discovered by Clément Lecigne of Google’s Threat Analysis Group (TAG), allows attackers to achieve heap corruption and potentially execute arbitrary code simply by luring users to maliciously crafted websites. The vulnerability has been actively exploited in the wild, with Google confirming that threat actors are weaponizing it to bypass browser sandbox protections, steal credentials, escalate privileges, and deploy malware. The fix is included in Chrome version 142.0.7444.175/.176 for Windows, Mac, and Linux, and users are strongly urged to update and restart their browsers immediately to mitigate risk. Other Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, are also rolling out patches. The involvement of Google TAG suggests possible links to advanced persistent threats, highlighting the urgency for both individuals and enterprises to apply updates and monitor for suspicious activity.
Mar 21, 2026
Google Chrome 143 Update Addresses 13 Vulnerabilities Including High-Severity V8 Type Confusion
Google released Chrome version 143 for the Stable Channel, addressing 13 security vulnerabilities, including a high-severity type confusion flaw in the V8 JavaScript engine. The V8 vulnerability was notable enough to earn an $11,000 bug bounty, highlighting its potential impact on user security. The update is available for Windows, Mac, and Linux platforms, and users are strongly encouraged to apply the patch to mitigate exploitation risks. The Canadian Centre for Cyber Security issued an advisory urging administrators and users to update Chrome to version 143.0.7499.40/41 (Windows/Mac) and 143.0.7499.40 (Linux) or later. The advisory underscores the importance of timely updates to address these vulnerabilities and maintain the security of desktop environments running Google Chrome.
Mar 21, 2026