Google Chrome: Attacks on vulnerability underway, update now
A security vulnerability in Google Chrome is already being exploited on the internet. Users should ensure they install the update.
(Image: heise online / dmk)
Malicious actors are exploiting a high-risk security vulnerability in the popular web browser Chrome. Google is releasing an out-of-band update to fix the vulnerability. Chrome users should install the update promptly.
This is warned by Google in the update announcement. As usual, the company is not providing details, only a general description that it is a “Type Confusion” vulnerability in the V8 Javascript engine (CVE-2025-13223). In a type confusion, the data types used do not match each other, which can lead to memory access outside intended boundaries. According to the vulnerability description states that attackers can provoke heap-based corruption with carefully crafted websites, which in this case evidently leads to the execution of injected code. An attack vector is also available: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. It leads to a CVSS score of 8.8, corresponding to a risk of “high” and narrowly missing the “critical” rating. Google does not elaborate on how the attacks work or their extent.
The updated browser version also patches another security vulnerability. This is another type of confusion vulnerability in the V8 Javascript engine. The attack vector is identical to the already exploited vulnerability and leads to a CVSS score of 8.8, risk “high,” for CVE-2025-13224.
Updated browser version patches security vulnerabilities
Google is fixing the security vulnerabilities in Chrome versions 142.0.7444.175 for Linux, 142.0.7444.176 for macOS, and 142.0.7444.175/.176 for Windows. You can check if they are already installed via the version dialog.
Videos by heise
You can access this by opening the browser settings menu by clicking on the three stacked dots to the right of the address bar. From there, go to “Help” and then “About Google Chrome.” This will show the currently running version and start the update process if a newer version is available. On Linux, the distribution's package manager is responsible for updates and should be used to search for them.
Other web browsers that use the Chromium code are likely to be updated shortly as well, as the vulnerability is probably present in them too. Therefore, users of Microsoft Edge, for example, should also regularly check the version dialog for available updates.
Most recently, Google had to fix an actively exploited vulnerability in Chrome in mid-September of this year. At that time, a vulnerability was also found in the V8 Javascript engine.
(dmk)
