Google on Monday rolled out an emergency Chrome 142 update to address a vulnerability exploited in the wild as a zero-day.
Tracked as CVE-2025-13223 (CVSS score of 8.8), the exploited high-severity flaw is described as a type confusion issue in the V8 JavaScript and WebAssembly engine.
Memory safety bugs that could trigger unexpected software behavior, type confusion vulnerabilities could lead to crashes, remote code execution, and other types of malicious operations.
Type confusion defects in the V8 engine can typically be exploited via crafted HTML pages for remote read/write operations.
“Google is aware that an exploit for CVE-2025-13223 exists in the wild,” the internet giant notes in its advisory, without providing details on the bug or its exploitation.
However, the company says the vulnerability was reported by Clément Lecigne of Google’s Threat Analysis Group (TAG) on November 12. This implies that a commercial spyware vendor might have targeted the bug in attacks.
TAG researchers have discovered numerous security defects exploited by commercial spyware, including vulnerabilities in Chrome.
CVE-2025-13223 is the seventh zero-day vulnerability resolved in Chrome this year. The sixth was fixed in September.
The browser update also resolves CVE-2025-13224, another type confusion issue in V8, reported by the Big Sleep AI agent.
Google makes no mention of this security defect being exploited in the wild, but the internet giant did praise Big Sleep before for finding bugs that threat actors knew about and were getting ready to exploit in the wild.
The latest Chrome iteration is now rolling out as version 142.0.7444.175 for Linux, version 142.0.7444.176 for macOS, and versions 142.0.7444.175/.176 for Windows.
Related: Firefox 145 and Chrome 142 Patch High-Severity Flaws in Latest Releases
Related: Chrome 142 Update Patches High-Severity Flaws
Related: Google Pays $100,000 in Rewards for Two Chrome Vulnerabilities
Related: Widespread Exploitation of XWiki Vulnerability Observed
