CVE-2025-13223

What is Chrome's V8 JavaScript Engine?

V8 is Google Chrome's open-source JavaScript and WebAssembly engine. It compiles JavaScript to native machine code through a multi-stage JIT (Just-In-Time) compilation pipeline. V8 type confusion vulnerabilities arise when the engine makes incorrect assumptions about the type of a JavaScript value — creating a mismatch between how memory is allocated and how it is accessed, enabling heap corruption. V8 type confusion zero-days are among the most reliably exploitable browser vulnerabilities because they provide consistent heap read/write primitives that can be weaponized into sandbox escapes.

All Chromium-based browsers (Google Chrome, Microsoft Edge, Opera, Brave, Vivaldi, and others) use V8, making V8 zero-days universally impactful across the Chromium ecosystem.

Overview

CVE-2025-13223 is a type confusion vulnerability (CWE-843) in Chrome's V8 JavaScript engine that allows heap corruption when a user visits a maliciously crafted web page. Exploited as a zero-day before the November 17, 2025 patch, CISA added it to the KEV catalog two days later. This is the seventh Chrome/V8 zero-day of 2025, reflecting the sustained high exploitation rate of browser engine vulnerabilities in that year.

Affected Versions

Technical Details

The type confusion (CWE-843) occurs in V8's JavaScript compilation or object property access path. When V8 processes certain JavaScript constructs, it incorrectly identifies the type of an object — treating memory laid out according to one type's structure as if it belongs to a different type. By crafting JavaScript that exploits this type mismatch, an attacker establishes:

1. Read primitive: read arbitrary memory values from the heap by treating memory as a different object type
2. Write primitive: write controlled values to arbitrary heap locations via the type confusion
3. Code execution: use the read/write primitives to overwrite function pointers, JIT-compiled code, or WebAssembly memory — leading to native code execution in the Chrome renderer process

A sandbox escape (separate vulnerability) is typically needed to fully escape Chrome's multi-process security model.

Delivery: The victim visits a malicious web page containing the exploit JavaScript. One user click (UI:R) — visiting the URL — is sufficient.

Discovery

Reporter not publicly disclosed. The 2-day KEV listing (patch November 17, KEV November 19) indicates rapid exploitation confirmation.

Exploitation Context

Confirmed active exploitation before the November 17, 2025 patch. V8 type confusion zero-days are routinely used by sophisticated threat actors (government-sponsored, mercenary spyware vendors, and advanced criminal groups) in targeted attacks. 2025 saw an unusually high rate of Chrome/V8 zero-days, with CVE-2025-13223 being the seventh of the year.

Remediation

1. Update Chrome to 142.0.7444.175 or later immediately. Navigate to Chrome menu → Help → About Google Chrome. The CISA deadline was December 10, 2025.
2. Update all Chromium-based browsers: Edge, Brave, Opera, Vivaldi all need vendor-specific updates.
3. Enable automatic Chrome updates to receive future zero-day fixes without delay.
4. Users in high-risk categories (journalists, government, executives, activists) should be especially prompt — V8 zero-days are favored by targeted spyware operators.