Google issued an extra patch for a security vulnerability in Chrome that is being actively exploited, and it’s urging users to update. The patch fixes two flaws in Chrome’s V8 engine, and for one of them Google says an exploit already exists in the wild.
Both issues are described as “type confusion” vulnerabilities in the V8 JavaScript engine. These occur when Chrome doesn’t verify the object type it’s handling and then uses it incorrectly. In other words, the browser mistakes one type of data for another—like treating a list as a single value or a number as text. That can cause unpredictable behavior and, in some cases, let attackers manipulate memory and run code remotely through crafted JavaScript on a malicious or compromised website.
So, these vulnerabilities lie in the part of Chrome you use the most: browsing. And since Chrome is by far the world’s most popular browser, with an estimated 3.4 billion users, that makes for a massive target. When Chrome has a security flaw that can be triggered just by visiting a website, billions of users are exposed until they update.
That’s why it’s important to install these patches promptly. Staying unpatched means you could be at risk just by browsing the web. Attackers often exploit these kinds of flaws before most users have a chance to update. Always let Chrome update itself, and don’t delay restarting it as updates usually fix exactly this kind of risk.
How to update Chrome
The latest version number is 144.0.7444.175/.176 for Windows, 144.0.7444.175 for Linux, and 144.0.7444.176 for macOS. So, if your Chrome is on version 144.0.7444.175 or later, it’s protected from these vulnerabilities.
The easiest way to update is to allow Chrome to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.
To update manually, click the More menu (three dots), then go to Settings > About Chrome. If an update is available, Chrome will start downloading it. Restart Chrome to complete the update, and you’ll be protected against these vulnerabilities.
You can also find step-by-step instructions in our guide to how to update Chrome on every operating system.
2025 exploited zero-days in Chrome
Public reporting indicates that Chrome has seen at least seven zero-days exploited in 2025, several of them in the V8 JavaScript engine and some linked to targeted espionage.
So, 2025 has been a relatively busy year for Chrome zero‑days.
In March, a sandbox escape tracked as CVE‑2025‑2783 showed up in espionage operations against Russian targets.
May brought more bad news: an account‑hijacking flaw (CVE‑2025‑4664), followed in June by multiple V8 issues (including CVE‑2025‑5419 and CVE‑2025‑6558) that let attackers run code in the browser and in some cases hop over the sandbox boundary.
September added a V8 type‑confusion bug (CVE‑2025‑10585) serious enough to justify another out‑of‑band patch.
And with this latest update, Google has patched CVE-2025-13223, reported by Google’s Threat Analysis Group (TAG), which focuses on spyware and nation-state attackers who regularly use zero-days for espionage.
If we’re lucky, this update will close out 2025’s run of Chrome zero-days.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
