Google has released an emergency security update for Chrome to fix two serious Type LOC vulnerabilities in the V8 JavaScript engine. Notably, one of the two vulnerabilities is zero-day and has been actively exploited in practice, allowing the attacker to execute arbitrary code only through the user’s access to malicious websites. This is considered a serious threat, especially to the corporate environment and critical systems, as the drive-by attack is increasingly sophisticated and difficult to detect.
According to Google, the most dangerous vulnerability, CVE-2025-13223, was discovered by the Threat Analysis Group (TAG) during its surveillance of intentional attacks. This error occurs when V8 mishandles an object’s data type, leading to the wrong understanding of the memory and causing heap damage. In a browser environment, this state can be exploited to control the execution stream, thus paving the way for arbitrary code execution on the victim’s system.
Of particular concern is that CVE-2025-13223 has been exploited in reality. The user simply visits a pre-made malicious website and the exploit chain can be activated, without any further actions. This makes the hole especially dangerous, as it is difficult for the victim to recognize that he or she is being attacked.
A second vulnerability, CVE-2025-13224, also belongs to the Type Confusion category in V8 and was rated as serious. There is currently no evidence that this error has been exploited, however, with specifications similar to those that have led to code execution in the past, Google still recommends that users be updated immediately to eliminate potential risk.
To reduce the risk of exploitation, Google has temporarily not released the technical details of the two vulnerabilities. This is a common method of zero-day processing, to prevent attackers from analyzing patches to develop new mining tools. Updates are now implemented in batches, but Google recommends proactive manual updating instead of waiting for an automatic mechanism.
The continued emergence of Type Confusion vulnerabilities in V8 suggests that the web browser remains a prime target of sophisticated attack groups. In that context, timely software updates remain the simplest but most effective way to protect the system from zero-day threats.
