Google patches worrying Chrome zero-day flaw being exploited in the wild - here's how to stay safe

News
By published

A bug in Google Chrome V8 allowed for arbitrary code execution

Google Chrome app is seen on an iPhone next to Edge and other web browser apps. Microsoft is using new prompts in Edge to try and stop users from downloading Chrome.
(Image credit: Tada Images / Shutterstock)
  • Google patches Chrome zero-day CVE-2025-13223 in V8 engine
  • Bug enabled arbitrary code execution, likely exploited by state-sponsored threat actors
  • Users should update Chrome to version 142.0.7444.175/.176 across platforms

Google has patched a worrying security flaw in its Chrome browser that was being abused in the wild as a zero-day.

In a new security advisory, Google said it fixed a type confusion vulnerability in the V8 JavaScript and WebAssembly engine which leads to arbitrary code execution. V8 is the browser’s JavaScript and WebAssembly engine - essentially the “brain” that reads, compiles, and executes JavaScript and WASM code in web pages.

The vulnerability is now tracked as CVE-2025-13223 and has a severity score of 8.8/10 (high). "Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page," the National Vulnerability Database (NVD) said in its explainer.

Fixing the problem

As reported by The Hacker News, the bug was first discovered by a security researcher from Google’s Threat Analysis Group (TAG), who did not detail the identities of both attackers, and the victims.

However, we know from previous reports that Google’s TAG team usually monitors state-sponsored threat actors, so it’s safe to assume that this bug was being leveraged by actors such as North Korea, China, Russia, or Iran. Both Lazarus Group (North Korea) and APT29 (Russia) have been observed abusing Chrome’s flaws in the past.

This is the third type confusion bug found in V8 this year, The Hacker News added, after CVE-2025-6554 and CVE-2025-10585.

Since by default, Google updates automatically next time it’s launched, users are most likely not required to do anything. However, in case automatic updates are turned off, make sure to bring the browser to versions 142.0.7444.175/.176 for Windows, 142.0.7444.176 for Apple macOS, and 142.0.7444.175 for Linux.

To check the version of Chrome you’re running, navigate to More > Help > About Google Chrome and select Relaunch.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.