← back
CVE-2025-13223

CVE-2025-13223

CVSS 8.8 HIGHEPSS 4.8%● KEVCWE-843
Vexday Risk Score
51Attention
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 8.8EPSS 4.8%KEV simPoC Patch
Lifecycle
17 Nov 2025Published on NVD
19 Nov 2025Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short

V8 (Chrome's JavaScript engine) has a type confusion vulnerability that lets attackers trick it into mishandling memory through a malicious webpage, potentially corrupting the heap and crashing or controlling the browser.

Technical detail

Type confusion in V8's type system allows a remote attacker to trigger heap corruption via crafted HTML, leading to potential code execution or denial of service. The attack requires user interaction (visiting a malicious page) and affects Chrome versions prior to 142.0.7444.175.

Summary generated and translated by AI from the official description.
Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
Google · Chrome

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_17.htmlhttps://issues.chromium.org/issues/460017370https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-13223