Chrome emergency update confirmed
dpa/picture alliance via Getty Images
Updated Nov. 19 with confirmation that America’s cyber defense agency has issued an update deadline for Chrome users given the severity of this new zero day.
Google has suddenly warned that attacks on Chrome are underway, issuing an emergency update for all desktop users. “Google is aware that an exploit for CVE-2025-13223 exists in the wild,” the company confirmed on Monday.
The vulnerability — a “Type Confusion in V8” — was discovered by Google’s own Threat Analysis Group last week. This fix has been rushed out, highlighting its seriousness.
That severity has now been underlined by America’s cyber defense agency mandating federal staff to update or to stop using Chrome. CISA added CVE-2025-13223 to its Known Exploited Vulnerability (KEV) catalog on Nov. 19, and has confirmed a Dec. 10 deadline for federal agency users to update or “discontinue use of the product.”
While CISA’s formal update order is only for federal staff, its mandate is “for the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity.”
As such, all Chrome users should update their browsers now. The update should download automatically, but you will need to restart your browser to ensure it installs and takes effect. Your regular tabs will reload, but your private “incognito” tabs will not.
Despite there being a lack of more details information on this latest zero day threat, the type of flaw can enable a remote attacker to destabilize a system or run their own arbitrary code to exfiltrate data or push malicious software onto a target device.
These types of flaws can also be chained with other vulnerabilities to provide an initial entry point to a device or the network on which that device sits.
Per NIST, this “Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.” The vulnerability has been issued a high-severity rating.
As ever, Google also says “access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
The update brings Chrome’s stable channel up to 142.0.7444.175/.176 for Windows and 142.0.7444.176 for Mac. For Linux it’s 142.0.7444.175. While Google’s boilerplate says “roll out over the coming days/weeks,” you can expect the update today.
While Google Chrome zero days are a regular event, Google takes immense credit for the speed with which fixes are developed and deployed. It goes without saying that all users should update their browsers as soon as they see the restart flag.
