Analysis

Google issued a Chrome security update addressing two high-severity V8 type‑confusion vulnerabilities, principally CVE-2025-13223 (CVSS 8.8), which Google says is being actively exploited and can enable arbitrary code execution or program crashes. The NIST description notes heap corruption via a crafted HTML page; the patched builds are 142.0.7444.175/.176 for Windows, 142.0.7444.176 for macOS and 142.0.7444.175 for Linux, and users are instructed to relaunch Chrome to install them. This fix is part of a sequence that closes seven zero‑days disclosed this year and marks the third actively exploited V8 type‑confusion bug after CVE-2025-6554 and CVE-2025-10585, signaling a concentrated exploitation pattern against Chrome’s JavaScript/WebAssembly engine. The report credits Clément Lecigne of Google TAG with the discovery of CVE-2025-13223 (reported Nov. 12, 2025) and notes CVE-2025-13224 was flagged by Google’s AI agent Big Sleep, underscoring both human and AI roles in detection. Immediate operational risk centers on unpatched endpoints and Chromium derivatives (Edge, Brave, Opera, Vivaldi); Google has not disclosed attacker attribution or scale, leaving uncertainty about who was targeted. Market signals are mildly negative toward Alphabet (GOOGL/GOOG) while AAPL and MSFT show neutral sentiment, implying potential near‑term reputational or support‑cost pressure for browser vendors and increased demand for enterprise patch management and endpoint security.