CVE-2025-13223

HighCISA KEVActive Exploitation

Published: 17 November 2025

Published

17 November 2025

Modified

02 December 2025

KEV Added

19 November 2025

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0280 86.2th percentile

Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Description

Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and remediation of flaws such as CVE-2025-13223 by applying the Chrome update to version 142.0.7444.175.

SI-16 Memory Protection good match

prevent

Memory protection mechanisms like ASLR and DEP directly mitigate heap corruption exploitation from type confusion vulnerabilities in the V8 engine.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Vulnerability scanning identifies systems running vulnerable Google Chrome versions prior to 142.0.7444.175, enabling targeted remediation.

Security SummaryAI

CVE-2025-13223 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine within Google Chrome versions prior to 142.0.7444.175. The flaw, classified under CWE-843, enables heap corruption when processing a crafted HTML page. Chromium rates its security severity as High, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impacts on confidentiality, integrity, and availability.

A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website or opening a crafted HTML page. No special privileges are required, and the attack has low complexity, though it relies on user interaction. Successful exploitation could allow arbitrary read/write access to heap memory, potentially leading to remote code execution within the browser's renderer process.

Google's stable channel update for desktop, detailed in the Chrome Releases blog, addresses the issue by upgrading to version 142.0.7444.175. The Chromium issue tracker (issues.chromium.org/issues/460017370) provides further technical details. The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.

Security practitioners should prioritize updating Google Chrome to at least version 142.0.7444.175 and advise users to avoid untrusted websites, as this flaw has been observed in real-world attacks.

Details

CWE(s): CWE-843
KEV Date Added: 19 November 2025

Affected Products

google

chrome

≤ 142.0.7444.175

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The vulnerability is a type confusion in Chrome's V8 engine exploited via crafted HTML pages on malicious websites, enabling drive-by compromise (T1189) and exploitation for client execution (T1203) in the browser renderer process.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_17.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/460017370
Issue Tracking, Permissions Required · chrome-cve-admin@google.com
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-13223
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0