Analysis

Google disclosed a high-severity zero-day (CVE-2025-13223) in its Chrome V8 JavaScript engine that permits type-confusion leading to heap corruption and potential remote code execution via a crafted HTML page; Google confirmed an exploit exists in the wild. The vulnerability is rated high and was discovered on Nov. 12 by Google’s Threat Analysis Group, making this the seventh Chrome zero-day patched this year with prior fixes in March, May, June, July and September. A patch is available in Chrome builds 142.0.7444.175/.176 for Windows, 142.0.7444.176 for Mac, and 142.0.7444.175 for Linux; Google says Chrome should auto-update but recommends manual verification of versions. The immediate consequence is elevated operational and security risk for unpatched enterprise fleets, with potential for increased incident response costs and short-term disruption to browser-dependent services until patch adoption is confirmed. For investors, this event signals a persistently active exploit environment for a widely used client technology and increases the importance of telemetry on patch adoption and exploit activity; monitoring subsequent advisories and any reported incidents will be material to operational-risk assessments and potential cost impacts to affected companies.