Google Patches Actively Exploited Chrome Zero-Day in V8 Engine — Update Now

Google has released an emergency Chrome update addressing CVE-2025-0971, a type confusion vulnerability in the V8 JavaScript engine being actively exploited in the wild. The flaw allows remote code execution with no user interaction beyond visiting a malicious web page.

via Google Security Blog·January 12, 2025·1d ago

SHARE:𝕏 IN

#Chrome#zero-day#V8#RCE#CVE-2025-0971

Google has issued an out-of-band security update for Chrome on all platforms to address CVE-2025-0971, a critical zero-day vulnerability in the V8 JavaScript engine. The flaw is confirmed to be under active exploitation by threat actors in real-world attacks.

Technical Details

CVE-2025-0971 is a type confusion vulnerability in V8, Chrome's high-performance JavaScript and WebAssembly engine. Type confusion bugs occur when code accesses a resource using an incompatible type, leading to out-of-bounds memory operations. The vulnerability can be triggered by visiting a specially crafted web page containing malicious JavaScript—no additional user interaction required. This is a classic "drive-by" exploit.

Successful exploitation allows an attacker to achieve remote code execution (RCE) within the Chrome renderer process. Combined with a sandbox escape, an attacker could achieve full system compromise.

Affected Versions

All Chrome versions prior to 132.0.6834.110 are vulnerable. Google has pushed the update through Chrome's automatic update mechanism, but users should manually verify by navigating to the Chrome settings help page and confirming the update has been applied.

Exploitation Details

Google's Threat Analysis Group (TAG) has attributed exploitation to a commercial spyware vendor. The zero-day was used in a limited, targeted "watering hole" campaign against journalists and civil society members in Southeast Asia. The exploit chain delivered a surveillance implant designed to exfiltrate browser-stored credentials, session cookies, and documents.

Mitigation

Update Chrome immediately to version 132.0.6834.110 or later. Enterprise administrators should force-push the update via Google Admin Console or MDM. Organizations running Chromium-based browsers including Microsoft Edge, Brave, and Opera should watch for corresponding patches.

Pattern of Exploitation

This marks the third actively exploited Chrome zero-day in the past six months. Prices on the private exploit market reportedly exceed $3 million for a full Chrome RCE-plus-sandbox-escape chain. Browser vendors are accelerating their patch cadence and increasing bug bounty payouts in response.

Source attribution: via Google Security Blog. HackWire aggregates and contextualizes publicly reported cybersecurity news for informational purposes.