CVE-2025-13042
Published: 12 November 2025
Summary
CVE-2025-13042 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 mandates timely identification, reporting, and correction of system flaws, directly requiring patching of the V8 heap corruption vulnerability in Chrome to version 142.0.7444.166 or later.
SI-16 enforces memory protection mechanisms such as address space layout randomization and data execution prevention that mitigate heap corruption exploits like out-of-bounds writes in V8.
SC-18 restricts or verifies mobile code technologies like JavaScript in browsers, reducing the attack surface for crafted HTML pages exploiting V8 vulnerabilities.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in Chrome's V8 engine enables heap corruption via crafted HTML page, facilitating drive-by compromise (T1189) and exploitation for client execution (T1203).
NVD Description
Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.166 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2025-13042 involves an inappropriate implementation in the V8 JavaScript engine within Google Chrome prior to version 142.0.7444.166. This vulnerability enables a remote attacker to potentially exploit heap corruption via a crafted HTML page. It is associated with CWE-787 (Out-of-bounds Write) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), classified as High severity by Chromium security. The issue was published on 2025-11-12.
A remote attacker without privileges can exploit this over the network with low complexity, though it requires user interaction, such as convincing a user to load a malicious HTML page in an affected browser. Successful exploitation could lead to high impacts on confidentiality, integrity, and availability through heap corruption.
Google addressed the vulnerability in Chrome stable channel update to version 142.0.7444.166. Mitigation requires updating to this version or later. Further details are provided in the Chrome Releases announcement at https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_11.html and the Chromium issue tracker at https://issues.chromium.org/issues/457351015.
Details
- CWE(s)