High

Type Confusion in Google Chrome V8

IdentifiersCVE-2025-13224CWE-843· Access of Resource Using…

CVE-2025-13224 is a high-severity type confusion vulnerability in the V8 JavaScript engine used by Google Chrome. According to the provided content, Google Chrome versions prior to 142.0.7444.175 are affected, with fixes released in 142.0.7444.175/.176 depending on platform. The flaw can be triggered by a remote attacker via a crafted HTML page, causing V8 to mis-handle object types and leading to heap corruption. While the content does not provide the specific vulnerable function or code path, it consistently identifies the issue as a V8 type confusion bug discovered by Google’s Big Sleep project. No in-the-wild exploitation was reported for CVE-2025-13224 in the provided material.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in heap corruption in the browser process and may enable arbitrary code execution in the context of the logged-in user. Depending on the victim’s privileges, this could allow installation of programs, viewing, modification, or deletion of data, and creation of new accounts with full user rights. The provided content also indicates broader risks including browser compromise, malware infection, sensitive data theft, service instability or crashes, and potential full system compromise if combined with additional vulnerabilities.

Mitigation

If you can’t patch tonight, do this now.

No known workaround is provided in the supplied advisory content. Until patching is completed, risk can be reduced by limiting exposure to untrusted web content, enforcing least privilege for browser users, enabling anti-exploitation protections, and using DNS/URL filtering or equivalent web filtering controls to reduce access to malicious or compromised sites. User awareness measures may also reduce the likelihood of visiting attacker-controlled pages, but patching is the primary mitigation.

Remediation

Patch, then assume compromise.

Update Google Chrome to a fixed version. The provided content states that the issue is addressed in Chrome 142.0.7444.175/.176, with affected versions being those prior to 142.0.7444.175 on Linux and prior to 142.0.7444.175/.176 on Windows and macOS. Chromium-based browsers that inherit Chromium/V8 fixes should also be updated as vendor patches become available. For Palo Alto Networks Prisma Browser, the advisory in the provided content recommends upgrading to a fixed version, including builds at or above 143.37.2.193, with per-CVE fixed builds listed by the vendor.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GoogleChromeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

17 SOURCESView more in app

cisecurity blog msisca and eiisacNews

Nov 24, 2025

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

A type confusion vulnerability in the V8 JavaScript engine in Google Chrome that could allow for arbitrary code execution in the context of the logged on user. Exploitation could lead to full user compromise depending on privileges.

scworldNews

Nov 19, 2025

Google addresses Chrome zero-day leveraged in attacks

A high-severity type confusion vulnerability in Google Chrome’s V8 JavaScript engine that has been patched; Google reports it is not yet exploited in the wild.

Nov 18, 2025

Google Chrome bug exploited as a 0-day - patch now • The Register

High-severity Google Chrome vulnerability: a type confusion flaw in the V8 JavaScript engine; patched via an emergency update, with no exploitation reported in the content.

Nov 18, 2025

Google Chrome bug exploited as an 0-day - patch now or risk full system compromise

A high-severity type confusion vulnerability in Google Chrome's V8 engine that was emergency patched by Google, with no reported exploitation at the time of writing.

+3 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity9