Google Issues Emergency Patch For Billions Of Chrome Users To Fix Actively Exploited 0-Day
The first vulnerability, labeled as CVE-2025-13223, is a Type Confusion found in Chrome’s V8 JavaScript and Web Assembly engine. This kind of flaw occurs when a program uses a different data type than intended, for example trying to use an integer as a character. In this case, it can allow a "remote attacker to potentially exploit heap corruption via a crafted HTML page."
While Google has already witnessed this zero day being exploited in the wild, it’s still not divulging many details as it’s hoping to minimize the damage that can stem from it. The company states that “access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
It’s thanks to the dedication of the company’s Threat Analysis Group (TAG) that this bug was discovered last week, which led to the fix that’s beginning to make its way to users.
The second vulnerability, dubbed CVE-2025-13224, also involves Type Confusion and works in much the same way as the first. This one was discovered using Google’s Big Sleep AI agent, and while there's no evidence that it's under active attack, it's still important to patch these kinds of flaws quickly.
Chrome will typically apply updates automatically; however, users should head to the settings panel and check for updates to ensure they’re running the most up-to-date version of the browser. You can do this by opening the "About" page, in the Help menu. Folks running any of the chromium-based browsers, such as Microsoft Edge, Brave Browser, or Opera, should likely do the same.
