Google Chrome bug exploited as an 0-day - patch now or risk full system compromise
- Reference: 1763487793
- News link: https://www.theregister.co.uk/2025/11/18/google_chrome_seventh_0_day/
- Source link:
The vulnerability, tracked as [1]CVE-2025-13223 , is a type confusion flaw in the V8 JavaScript engine, and it's the seventh Chrome zero-day this year. All have since been patched. But if you use Chrome as your web browser, make sure you are running the most recent version - or risk full system compromise.
This type of vulnerability happens when the engine misinterprets a block of memory as one type of object and treats it as something it's not. This can lead to system crashes and arbitrary code execution, and if it's chained with other bugs can potentially lead to a full system compromise via a crafted HTML page.
[2]
"Google is aware that an exploit for CVE-2025-13223 exists in the wild," the Monday security alert [3]warned .
[4]
Also on Monday, Google issued a second emergency patch for another high-severity type confusion bug in Chrome's V8 engine. This one is tracked as [5]CVE-2025-13224 . As of now, there's no reports of exploitation - so that's another reason to update sooner than later.
[6]Google pushes emergency patch for Chrome 0-day – check your browser version now
[7]After Chrome patches zero-day used to target Russians, Firefox splats similar bug
[8]Who's watching the watchers? This Mozilla fellow, and her Surveillance Watch map
[9]Previously unknown Landfall spyware used in 0-day attacks on Samsung phones
Google's LLM-based bug hunting tool [10]Big Sleep found CVE-2025-13224 in October, and a human - the Chocolate Factory's own Clément Lecigne - discovered CVE-2025-13223 on November 12.
Lecigne is a spyware hunter with Google's Threat Analysis Group (TAG) credited with finding and disclosing several of these types of Chrome zero-days. While we don't have any details about who is exploiting CVE-2025-13223 and what they are doing with the access, TAG tracks [11]spyware and nation-state attackers [12]abusing zero days for espionage expeditions.
TAG also spotted the [13]sixth Chrome bug exploited as a zero-day and patched in September. That flaw, CVE-2025-10585, was also a type confusion flaw in the V8 JavaScript and WebAssembly engine. ®
Get our [14]Tech Resources
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-13223
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aRz6hmAMIC9ZKVSh0rs8SQAAAEc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_17.html
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRz6hmAMIC9ZKVSh0rs8SQAAAEc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://nvd.nist.gov/vuln/detail/CVE-2025-13224
[6] https://www.theregister.com/2025/09/18/google_emergency_patch_chrome_0_day/
[7] https://www.theregister.com/2025/03/28/google_kaspersky_mozilla/
[8] https://www.theregister.com/2025/11/08/mozilla_fellow_al_shafei/
[9] https://www.theregister.com/2025/11/07/landfall_spyware_samsung_0days/
[10] https://www.theregister.com/2024/11/05/google_ai_vulnerability_hunting/
[11] https://www.theregister.com/2024/03/27/surge_in_enterprise_zero_days/
[12] https://www.theregister.com/2025/11/07/landfall_spyware_samsung_0days/
[13] https://www.theregister.com/2025/09/18/google_emergency_patch_chrome_0_day/
[14] https://whitepapers.theregister.com/
Re: Do I need to panic?
According to Hacker News, both CVE's affect other chromium based browsers, although they didn't elaborate other than mentioning specific example browsers (Microsoft Edge, Brave, Opera, and Vivaldi).
Re: Do I need to panic?
https://vivaldi.com/blog/desktop/updates/
> November 17, 2025
> This update includes a few important crash fixes and security fixes from Chromium upstream, including for CVE-2025-13223 (Type Confusion in V8), which has a known exploit in the wild.
I assumed from the V8 aspect that it would affect Vivaldi so went to update it, but this type of article would certainly benefit from flagging what's Chrome-only vs. what also affects the Chrome spinoffs.
And maybe even Node.js stuff, since it's the js engine that's involved.
Re: Do I need to panic?
Don't forget the hundreds of programs using Electron which may/may not have code paths executing potentially malicious javascript.
And wait, if it's a bug in V8 it presumably affects everything Node.js too? Or not? This is a remarkably poorly described bug.
In general, do not run unknown code on your computers
Also, JavaScript engine - a way to run unknown code on your computers.
Re: In general, do not run unknown code on your computers
True, but the alternative is also to run a v1.0 internet, using html + css only. That's what you are doing, right, as I assume that means you are smarter than the rest of us and running a browser with JS entirely disabled? Lynx maybe?
My take on it is to run anything that involves money on Firefox with NoScript. And day-to-day browsing on Vivaldi. In any case, JS on browsers is pretty strongly sandboxed and sees so much adversarial pressure that is quite battle-hardened, maybe a lot more than a lot of other stuff.
Wrt to say Electron (which runs VS Code), which another comment touched upon, I remember reading that is way less secure than browsers and tends to have access to the filesystem and OS...
Do I need to panic?
Ditched Chrome years ago but it is never clear whether bugs are shared with Chromium and hence half the rest that use the same engine and can be identified as targets by their headers.
Maybe I should ask Microsoft ;-)