CVE-2025-13228
Published: 18 November 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2025-13228 is a type confusion vulnerability (CWE-843) in the V8 JavaScript engine within Google Chrome versions prior to 142.0.7444.59. This flaw enables a remote attacker to potentially trigger heap corruption by means of a crafted HTML page. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium security standards.
A remote attacker can exploit this issue over the network with low complexity and no required privileges, though it necessitates user interaction, such as visiting a malicious site. Exploitation of the type confusion could result in heap corruption, leading to high-impact compromises of confidentiality, integrity, and availability, potentially allowing arbitrary code execution within the browser's renderer process.
Mitigation is provided in Google Chrome version 142.0.7444.59 and later stable channel updates. Security practitioners should prioritize updating affected systems. Additional details are available in the Chrome Releases stable channel update at https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_28.html and the Chromium issue tracker at https://issues.chromium.org/issues/446124893.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a type confusion in Chrome's V8 engine exploitable via a crafted HTML page, enabling drive-by compromise (T1189) through malicious websites requiring user interaction and exploitation for client execution (T1203) in the browser renderer process.