CVE-2025-13228
Published: 18 November 2025
Summary
CVE-2025-13228 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of the type confusion vulnerability in Chrome's V8 JavaScript engine to eliminate the heap corruption risk from crafted HTML pages.
Enables vulnerability scanning to identify systems running vulnerable Chrome versions prior to 142.0.7444.59 affected by this V8 flaw.
Ensures receipt and dissemination of security advisories like the Chrome stable channel update addressing this high-severity type confusion vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a type confusion in Chrome's V8 engine exploitable via a crafted HTML page, enabling drive-by compromise (T1189) through malicious websites requiring user interaction and exploitation for client execution (T1203) in the browser renderer process.
NVD Description
Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2025-13228 is a type confusion vulnerability (CWE-843) in the V8 JavaScript engine within Google Chrome versions prior to 142.0.7444.59. This flaw enables a remote attacker to potentially trigger heap corruption by means of a crafted HTML page. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium security standards.
A remote attacker can exploit this issue over the network with low complexity and no required privileges, though it necessitates user interaction, such as visiting a malicious site. Exploitation of the type confusion could result in heap corruption, leading to high-impact compromises of confidentiality, integrity, and availability, potentially allowing arbitrary code execution within the browser's renderer process.
Mitigation is provided in Google Chrome version 142.0.7444.59 and later stable channel updates. Security practitioners should prioritize updating affected systems. Additional details are available in the Chrome Releases stable channel update at https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_28.html and the Chromium issue tracker at https://issues.chromium.org/issues/446124893.
Details
- CWE(s)