CVE-2025-13223
Published: 17 November 2025
Summary
CVE-2025-13223 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 13.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and remediation of flaws such as CVE-2025-13223 by applying the Chrome update to version 142.0.7444.175.
Memory protection mechanisms like ASLR and DEP directly mitigate heap corruption exploitation from type confusion vulnerabilities in the V8 engine.
Vulnerability scanning identifies systems running vulnerable Google Chrome versions prior to 142.0.7444.175, enabling targeted remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a type confusion in Chrome's V8 engine exploited via crafted HTML pages on malicious websites, enabling drive-by compromise (T1189) and exploitation for client execution (T1203) in the browser renderer process.
NVD Description
Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2025-13223 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine within Google Chrome versions prior to 142.0.7444.175. The flaw, classified under CWE-843, enables heap corruption when processing a crafted HTML page. Chromium rates its security severity as High, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impacts on confidentiality, integrity, and availability.
A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website or opening a crafted HTML page. No special privileges are required, and the attack has low complexity, though it relies on user interaction. Successful exploitation could allow arbitrary read/write access to heap memory, potentially leading to remote code execution within the browser's renderer process.
Google's stable channel update for desktop, detailed in the Chrome Releases blog, addresses the issue by upgrading to version 142.0.7444.175. The Chromium issue tracker (issues.chromium.org/issues/460017370) provides further technical details. The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.
Security practitioners should prioritize updating Google Chrome to at least version 142.0.7444.175 and advise users to avoid untrusted websites, as this flaw has been observed in real-world attacks.
Details
- CWE(s)
- KEV Date Added
- 19 November 2025