https://www.theregister.com/2025/11/18/google_chrome_seventh_0_day/
Seventh Chrome 0-day this year
Google pushed an emergency patch on Monday for a high-severity Chrome bug that attackers have already found and exploited in the wild.
The vulnerability, tracked as CVE-2025-13223, is a type confusion flaw in the V8 JavaScript engine, and it's the seventh Chrome zero-day this year. All have since been patched. But if you use Chrome as your web browser, make sure you are running the most recent version - or risk full system compromise.
This type of vulnerability happens when the engine misinterprets a block of memory as one type of object and treats it as something it's not. This can lead to system crashes and arbitrary code execution, and if it's chained with other bugs can potentially lead to a full system compromise via a crafted HTML page.
"Google is aware that an exploit for CVE-2025-13223 exists in the wild," the Monday security alert warned.
Also on Monday, Google issued a second emergency patch for another high-severity type confusion bug in Chrome's V8 engine. This one is tracked as CVE-2025-13224. As of now, there's no reports of exploitation - so that's another reason to update sooner than later.
Google's LLM-based bug hunting tool Big Sleep found CVE-2025-13224 in October, and a human - the Chocolate Factory's own Clément Lecigne - discovered CVE-2025-13223 on November 12.
Lecigne is a spyware hunter with Google's Threat Analysis Group (TAG) credited with finding and disclosing several of these types of Chrome zero-days. While we don't have any details about who is exploiting CVE-2025-13223 and what they are doing with the access, TAG tracks spyware and nation-state attackers abusing zero days for espionage expeditions.
TAG also spotted the sixth Chrome bug exploited as a zero-day and patched in September. That flaw, CVE-2025-10585, was also a type confusion flaw in the V8 JavaScript and WebAssembly engine.
(Score: 3, Insightful) by Anonymous Coward on Friday November 21, @07:14PM (4 children)
Time to depreciate
(Score: 5, Interesting) by Anonymous Coward on Friday November 21, @07:43PM (1 child)
The whole concept of JavaScript in web browsers is completely insane.
"Let's write a program which automatically downloads and executes untrusted third party software from strangers on the internet. Then, we maintain a long list of rules describing all the things that this software is not allowed to do, so scoundrels won't be able to do anything nefarious."
"Don't worry, we've only had to update the list of rules over 9000 times already, but I'm sure that we've got it right this time and no further updates will be required."
(Score: 0) by Anonymous Coward on Sunday November 23, @08:35AM
https://lists.w3.org/Archives/Public/www-html/2002May/0021.html [w3.org]
Eventually the answer apparently was CSP: https://en.wikipedia.org/wiki/Content_Security_Policy [wikipedia.org]
(Score: 5, Funny) by turgid on Friday November 21, @10:17PM (1 child)
But web assembly!!!
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 5, Insightful) by krishnoid on Friday November 21, @11:32PM
Indeed! That also allows for much better permission control.
Warning: This webpage contains a script that wants to:
etc., etc.
(Score: 0) by Anonymous Coward on Saturday November 22, @06:23PM
No corporate browser should be kept on anything but a VERY short leash.