Google has released an emergency security update to fix the seventh Chrome zero-day vulnerability exploited in attacks this year.
“Google is aware that an exploit for CVE-2025-13223 exists in the wild,” the search giant warned in a security advisorypublished on Monday.
This high-severity vulnerability is caused by a type confusion weakness in Chrome’s V8 JavaScript engine, reported last week by Clement Lecigne of Google’s Threat Analysis Group. Google TAG frequently flags zero-day exploits by government-sponsored threat groups in spyware campaigns targeting high-risk individuals, including journalists, opposition politicians, and dissidents.
Google fixed the zero-day flaw with the release of 142.0.7444.175/.176 for Windows, 142.0.7444.176 for Mac, and 142.0.7444.175 for Linux.
While these new versions are scheduled to roll out to all users in the Stable Desktop channel over the coming weeks, the patch was immediately available when BleepingComputer checked for the latest updates.
Although the Chrome web browser updates automatically when security patches are available, users can also confirm they’re running the latest version by going to Chrome menu > Help > About Google Chrome, letting the update finish, and then clicking on the ‘Relaunch’ button to install it.
Although Google has already confirmed that CVE-2025-13223 was used in attacks, it still has to share additional details regarding active exploitation.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
This is the seventh Chrome zero-day exploited in attacks that was fixed by Google this year, with six more patched in March, May, June, July, and September.
In September and July, it addressed two actively exploited zero-day (CVE-2025-10585 and CVE-2025-6558) reported by Google TAG researchers.
Google released additional emergency security updates in May to address a Chrome zero-day vulnerability (CVE-2025-4664) that enabled threat actors to hijack accounts. The updates also fixed an out-of-bounds read and a write flaw (CVE-2025-5419) in the V8 JavaScript engine discovered by Google TAG in June.
In March, Google also patched a high-severity sandbox escape flaw (CVE-2025-2783) reported by Kaspersky, which was exploited in espionage attacks against Russian media outlets and government organizations.
In 2024, Google addressed 10 more zero-day bugs that were demoed during Pwn2Own hacking competitions or exploited in attacks.
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.