Google has issued an emergency patch to address a high-severity, zero-day exploit targeting the desktop version of its Chrome browser.
As PCMag reports, the vulnerability, dubbed CVE-2025-13223, “exists in the wild,” Google says, which suggests that Google has evidence the flaw has already been used.
Google discovered a “type confusion” flaw in Chrome’s V8 JavaScript engine, where the software mistakenly uses one type of programming resource as another. This can enable a hacker to corrupt the software’s memory and execute malicious computer code.
The National Institute of Standards and Technology (NIST) adds that the flaw “allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.” This suggests the hackers were circulating the attack through malicious websites or phishing emails.
Although details about the threat are vague, the company credited the discovery to Clément Lecigne, a Google security researcher who has investigated cyber threats from state-sponsored hackers and commercial surveillance companies. Lecigne reported the flaw to the company on Nov. 12, and Google issued the emergency fix.
For Windows, the patch is arriving via version 142.0.7444.175/.176. For Mac, it’ll arrive as 142.0.7444.176, and for Linux, it’s 142.0.7444.175.
The Chrome browser can download the update automatically; you just have to relaunch the software to fully install the patch. To update manually, go to Settings > About Chrome > Relaunch, or visit Google’s support page on downloading the patches.
Microsoft also released a fix for the Edge browser, which uses Google’s Chromium. That version number is 142.0.3595.90.
—
Photo Credit: FOXARTBOX / Shutterstock.com