Urgent Chrome Update Fixes Actively Exploited 0-Day Bug
▼ Summary
– Google issued an emergency patch for CVE-2025-13223, a high-severity Chrome zero-day vulnerability that attackers are already exploiting.
– This type confusion flaw in the V8 JavaScript engine can cause system crashes and arbitrary code execution, potentially leading to full system compromise.
– Google also patched a second high-severity type confusion bug, CVE-2025-13224, which has not yet been reported as exploited.
– CVE-2025-13223 was discovered by Google’s Clément Lecigne, a spyware hunter who has found multiple Chrome zero-days used by nation-state attackers.
– This marks the seventh Chrome zero-day patched this year, following another similar V8 engine flaw (CVE-2025-10585) that was exploited in September.
Google has released a critical security update for its Chrome browser to address a dangerous vulnerability that malicious actors are already using in active attacks. This marks the seventh zero-day flaw patched in Chrome this year, underscoring the importance of keeping your browser up to date to protect your system from potential compromise.
The security hole, identified as CVE-2025-13223, is a type confusion issue within Chrome’s V8 JavaScript engine. Type confusion occurs when the browser incorrectly interprets a section of memory as a different type of object than it actually is. This kind of mistake can cause the browser to crash or, more seriously, allow an attacker to run unauthorized code on a user’s device. When combined with other security weaknesses, this flaw could be leveraged through a maliciously designed webpage to take complete control of an affected system.
In its security advisory, Google confirmed it has evidence that exploitation of CVE-2025-13223 is already happening in the wild. Users are strongly urged to verify that their browser is updated immediately.
Alongside this fix, Google also patched a second high-severity type confusion vulnerability tracked as CVE-2025-13224. Although there are no current reports of this second bug being actively exploited, applying the latest update protects against this potential threat as well.
The discovery of these vulnerabilities involved both automated systems and human expertise. Google’s LLM-based bug hunting tool, Big Sleep, identified CVE-2025-13224 back in October. The actively exploited flaw, CVE-2025-13223, was found on November 12 by Clément Lecigne, a researcher with Google’s Threat Analysis Group (TAG).
Lecigne is known for his work hunting spyware and has been credited with uncovering multiple Chrome zero-day vulnerabilities in the past. While specific information about the attackers exploiting CVE-2025-13223 or their objectives remains undisclosed, TAG routinely investigates sophisticated threat actors, including nation-state groups, who use such zero-day exploits for espionage purposes.
This is not the first time TAG has been involved in identifying a serious Chrome zero-day. The group also discovered the sixth such flaw, CVE-2025-10585, which was a similar type confusion vulnerability in the V8 JavaScript and WebAssembly engine that was patched in September.
(Source: The Register)
