CISA adds one known exploited vulnerability to catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) Catalog with a new entry affecting the Google Chromium V8 engine, identifying a type confusion vulnerability that poses elevated risk to affected systems.

This update documents CVE-2025-13223, which impacts the Google Chromium V8 component through a type confusion flaw. The vulnerability appears in specific versions of the software as detailed by CISA and requires certain trigger conditions related to code execution paths within the V8 JavaScript engine. This addition to the catalog clarifies the vulnerability's nature distinct from other types listed therein.

Exploitation of this vulnerability may enable unauthorized actions within compromised environments, reflecting the security concerns associated with type confusion faults in widely used browser engines.

Remediation for the vulnerability involves applying vendor-supplied patches or updates addressing CVE-2025-13223, as provided by Google and documented in the advisory. CISA’s catalog listing serves to inform entities managing affected assets of the need for timely mitigation.

The Binding Operational Directive (BOD) 22-01 mandates Federal Civilian Executive Branch agencies to remediate vulnerabilities identified in the KEV Catalog by specified deadlines to reduce exposure to active cyber threats. Although this directive applies to federal agencies, CISA recommends all organizations incorporate these cataloged vulnerabilities into their vulnerability management strategies and prioritize prompt remediation where feasible. CISA continues to monitor and add vulnerabilities meeting its established criteria to the catalog to support cybersecurity defenses.