CVE-2025-13042

High

Published: 12 November 2025

Published

12 November 2025

Modified

25 November 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.166 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely identification, reporting, and correction of system flaws, directly requiring patching of the V8 heap corruption vulnerability in Chrome to version 142.0.7444.166 or later.

SI-16 Memory Protection partial match

prevent

SI-16 enforces memory protection mechanisms such as address space layout randomization and data execution prevention that mitigate heap corruption exploits like out-of-bounds writes in V8.

SC-18 Mobile Code partial match

prevent

SC-18 restricts or verifies mobile code technologies like JavaScript in browsers, reducing the attack surface for crafted HTML pages exploiting V8 vulnerabilities.

Security SummaryAI

CVE-2025-13042 involves an inappropriate implementation in the V8 JavaScript engine within Google Chrome prior to version 142.0.7444.166. This vulnerability enables a remote attacker to potentially exploit heap corruption via a crafted HTML page. It is associated with CWE-787 (Out-of-bounds Write) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), classified as High severity by Chromium security. The issue was published on 2025-11-12.

A remote attacker without privileges can exploit this over the network with low complexity, though it requires user interaction, such as convincing a user to load a malicious HTML page in an affected browser. Successful exploitation could lead to high impacts on confidentiality, integrity, and availability through heap corruption.

Google addressed the vulnerability in Chrome stable channel update to version 142.0.7444.166. Mitigation requires updating to this version or later. Further details are provided in the Chrome Releases announcement at https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_11.html and the Chromium issue tracker at https://issues.chromium.org/issues/457351015.

Details

CWE(s): CWE-787

Affected Products

google

chrome

≤ 142.0.7444.162

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Vulnerability in Chrome's V8 engine enables heap corruption via crafted HTML page, facilitating drive-by compromise (T1189) and exploitation for client execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_11.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/457351015
Issue Tracking, Permissions Required · chrome-cve-admin@google.com