CVE-2025-13226

High

Published: 18 November 2025

Published

18 November 2025

Modified

19 November 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely remediation of identified flaws, such as applying the Chrome 142.0.7444.59 patch to fix the V8 type confusion vulnerability.

SI-16 Memory Protection partial match

prevent

Implements memory protections like ASLR and DEP that mitigate heap corruption resulting from the V8 type confusion exploit.

SC-39 Process Isolation partial match

prevent

Enforces process isolation through browser sandboxes to contain potential code execution from crafted HTML exploiting V8 type confusion.

Security SummaryAI

CVE-2025-13226 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine within Google Chrome versions prior to 142.0.7444.59. This flaw, classified under CWE-843, enables a remote attacker to potentially trigger heap corruption through a specially crafted HTML page. Chromium rates the issue as high severity, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website or interacting with a crafted HTML page, as it requires user interaction but no privileges. Successful exploitation could lead to arbitrary code execution, compromising confidentiality, integrity, and availability with high impact, potentially allowing full browser or system takeover depending on sandbox escape.

Mitigation is available via the stable channel update to Google Chrome 142.0.7444.59 or later, as detailed in the Chrome Releases blog post at https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_28.html. Additional technical details and the upstream fix are documented in the Chromium issue tracker at https://issues.chromium.org/issues/446113732. Security practitioners should prioritize updating affected browsers and advise users to enable automatic updates.

Details

CWE(s): CWE-843

Affected Products

google

chrome

≤ 142.0.7444.59 · ≤ 142.0.7444.60

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The vulnerability is a type confusion in Chrome's V8 engine exploited via crafted HTML pages on malicious websites, directly enabling drive-by compromise (T1189) and exploitation for client execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_28.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/446113732
Issue Tracking, Permissions Required · chrome-cve-admin@google.com