Google pushed an emergency patch on Monday for a high-severity Chrome bug that attackers have already found and exploited in the wild.
The vulnerability, tracked as CVE-2025-13223, is a type confusion flaw in the V8 JavaScript engine, and it’s the seventh Chrome zero-day this year. All have since been patched. But if you use Chrome as your web browser, make sure you are running the most recent version – or risk full system compromise.
This type of vulnerability happens when the engine misinterprets a block of memory as one type of object and treats it as something it’s not. This can lead to system crashes and arbitrary code execution, and if it’s chained with other bugs can potentially lead to a full system compromise via a crafted HTML page.
“Google is aware that an exploit for CVE-2025-13223 exists in the wild,” the Monday security alert warned.
Also on Monday, Google issued a second emergency patch for another high-severity type confusion bug in Chrome’s V8 engine. This one is tracked as CVE-2025-13224. As of now, there’s no reports of exploitation – so that’s another reason to update sooner than later.
Google’s LLM-based bug hunting tool Big Sleep found CVE-2025-13224 in October, and a human – the Chocolate Factory’s own Clément Lecigne – discovered CVE-2025-13223 on November 12.
Lecigne is a spyware hunter with Google’s Threat Analysis Group (TAG) credited with finding and disclosing several of these types of Chrome zero-days. While we don’t have any details about who is exploiting CVE-2025-13223 and what they are doing with the access, TAG tracks spyware and nation-state attackers abusing zero days for espionage expeditions.
TAG also spotted the sixth Chrome bug exploited as a zero-day and patched in September. That flaw, CVE-2025-10585, was also a type confusion flaw in the V8 JavaScript and WebAssembly engine. ®