Chrome 142 Update Patches Exploited Zero-Day

Google has released an urgent security update for Chrome after confirming that a newly discovered high-severity zero-day vulnerability was actively exploited in real-world attacks.

The flaw, tracked as CVE-2025-13223 with a CVSS score of 8.8, is a type confusion bug in Chrome’s V8 JavaScript and WebAssembly engine. Such memory safety issues can lead to crashes, unauthorized code execution, and other malicious behavior when triggered through specially crafted webpages.

Google acknowledged that the vulnerability is already being exploited but did not disclose technical details. The issue was reported on November 12 by Clément Lecigne from Google’s Threat Analysis Group (TAG)—the same team known for uncovering multiple vulnerabilities abused by commercial spyware vendors. The attribution strongly suggests that the flaw may have been leveraged by such vendors in targeted attacks.

This marks the seventh Chrome zero-day patched in 2025, following another high-severity fix issued in September.

Additional V8 Vulnerability Also Patched

Alongside CVE-2025-13223, the latest update also addresses CVE-2025-13224, another type confusion weakness in the V8 engine. The flaw was discovered by the Big Sleep AI agent, a system previously recognized by Google for identifying vulnerabilities that attackers were preparing to exploit.

While Google stated that CVE-2025-13224 has not been observed in active exploitation, it emphasized the importance of applying the update promptly.

Chrome 142 Now Rolling Out Globally

The patched versions—now rolling out automatically—include:

• Linux: 142.0.7444.175
• macOS: 142.0.7444.176
• Windows: 142.0.7444.175 / 142.0.7444.176

Users are strongly advised to update immediately to protect against potential attacks delivered through malicious HTML or JavaScript.