Google has released an emergency security update to fix the seventh Chrome zero-day vulnerability exploited in attacks this year.
"Google is aware that an exploit for CVE-2025-13223 exists in the wild," the search giant warned in a security advisorypublished on Monday.
This high-severity vulnerability is caused by a type confusion weakness in Chrome's V8 JavaScript engine, reported last week by Clement Lecigne of Google's Threat Analysis Group. Google TAG frequently flags zero-day exploits by government-sponsored threat groups in spyware campaigns targeting high-risk individuals, including journalists, opposition politicians, and dissidents.
Google fixed the zero-day flaw with the release of 142.0.7444.175/.176 for Windows, 142.0.7444.176 for Mac, and 142.0.7444.175 for Linux.
While these new versions are scheduled to roll out to all users in the Stable Desktop channel over the coming weeks, the patch was immediately available when BleepingComputer checked for the latest updates.
Although the Chrome web browser updates automatically when security patches are available, users can also confirm they're running the latest version by going to Chrome menu > Help > About Google Chrome, letting the update finish, and then clicking on the 'Relaunch' button to install it.
Although Google has already confirmed that CVE-2025-13223 was used in attacks, it still has to share additional details regarding active exploitation.
"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed."
This is the seventh Chrome zero-day exploited in attacks that was fixed by Google this year, with six more patched in March, May, June, July, and September.
In September and July, it addressed two actively exploited zero-day (CVE-2025-10585 and CVE-2025-6558) reported by Google TAG researchers.
... continue reading