Preface: Type confusion is a vulnerability where a program accesses a resource using an incompatible type, leading to unexpected behavior or memory corruption. This often occurs when a program misinterprets the type of data being used, potentially leading to the execution of the wrong code or the disclosure of sensitive information. This can happen due to issues with type casting, memory layout mismatches, or speculative execution, and it’s a common foundation for various software attacks.

Background: V8 is Google’s open source high-performance JavaScript and Web Assembly engine, written in C++. It is used in Chrome and in Node.js, among others. V8 provides the core JavaScript execution environment that Node.js is built upon. It allows Node.js to: Execute JavaScript code outside the browser.

V8 is Google’s high-performance JavaScript engine used in Chrome and Node.js. It compiles JavaScript directly into machine code, optimizing execution through techniques like just-in-time (JIT) compilation. V8 uses multiple tiers of compilers (Ignition, Sparkplug, Maglev, Turbofan) and an efficient garbage collector to manage memory. Its design prioritizes speed and efficiency, making it a key component in modern web development.

Details of the flaw:

• Vulnerability: The flaw (CVE-2025-12036) is a memory-related weakness in the V8 JavaScript engine.
• Exploitation: Attackers can exploit this by creating a crafted web page with malicious JavaScript to execute arbitrary code in the browser’s renderer process.
• Impact: Successful exploitation can lead to data exposure, sandbox escape, or privilege escalation.
• Affected versions: Any Chrome version on Windows, macOS, or Linux prior to 141.0.7390.122/.123 is vulnerable.
• Patch status: Google has released an urgent update to address this issue.
• CVSS Score: The vulnerability has a CVSS score of 7.5, indicating high severity

Official announcement: Please refer to the link for details –

https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_21.html