CVE-2025-13227
Published: 18 November 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
A type confusion vulnerability, designated CVE-2025-13227, affects the V8 JavaScript engine in Google Chrome prior to version 142.0.7444.59. Published on 2025-11-18, it enables a remote attacker to potentially trigger heap corruption via a crafted HTML page. The issue carries a Chromium security severity of High and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), classified under CWE-843.
Exploitation requires no privileges and can be initiated remotely over the network with low complexity, though it depends on user interaction, such as visiting a malicious site. An attacker could achieve heap corruption, leading to high-impact confidentiality, integrity, and availability violations, potentially allowing arbitrary code execution within the renderer process.
Chrome's stable channel update, documented at https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_28.html, patches this by advancing to version 142.0.7444.59. Additional details are available in the Chromium issue tracker at https://issues.chromium.org/issues/446122633. Mitigation involves updating to the patched Chrome version promptly.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a type confusion in Chrome's V8 engine exploitable via crafted HTML on a malicious site, enabling drive-by compromise (T1189) and exploitation for client execution (T1203).