Google on Monday released security updates for its Chrome browser to address two security flaws, including one that the company said is being actively exploited in the wild.
The primary vulnerability, CVE-2025-13223 (CVSS score: 8.8), is a type confusion bug in the V8 JavaScript and WebAssembly engine that could be used to achieve arbitrary code execution or cause program crashes, as described in the NIST National Vulnerability Database.
Clément Lecigne of Google’s Threat Analysis Group is credited with discovering and reporting the flaw on November 12, 2025. Google has acknowledged that an exploit for CVE-2025-13223 exists in the wild but has not released details on who is behind the attacks, potential targets or the scale of activity.
The update brings Google’s tally to seven zero-day flaws that have been either actively exploited or demonstrated as proofs-of-concept since the start of the year, and CVE-2025-13223 is the third actively exploited type confusion bug found in V8 this year after CVE-2025-6554 and CVE-2025-10585. Google also patched another V8 type confusion issue, CVE-2025-13224, which the company said was flagged by one of its internal tools.
Users are advised to update Chrome to versions 142.0.7444.175/.176 for Windows, 142.0.7444.176 for macOS and 142.0.7444.175 for Linux; to check for and install the updates open Chrome, go to More > Help > About Google Chrome and select Relaunch. Users of other Chromium-based browsers such as Microsoft Edge, Brave, Opera and Vivaldi should apply fixes when vendors make them available.