Google Patches Critical Chrome Zero-Day Flaw (CVE-2025-10585)
▼ Summary
– Google has released a security update for Chrome to fix a zero-day vulnerability (CVE-2025-10585) that is actively being exploited.
– The vulnerability is a type confusion flaw in Chrome’s V8 JavaScript and WebAssembly engine, similar to a previous issue fixed this year.
– Google’s Threat Analysis Group discovered the flaw, indicating it is likely being used by state-sponsored threat actors in targeted attacks.
– The fix is included in Chrome versions 140.0.7339.185/.186 for Windows/Mac and 140.0.7339.185 for Linux, along with three other high-severity vulnerabilities.
– Users should manually update if automatic updates are disabled, and developers of other Chromium-based browsers are expected to release patches soon.
Google has issued a critical security update for its Chrome browser to address a newly discovered zero-day vulnerability, identified as CVE-2025-10585. This flaw, actively exploited in the wild, was reported by Google’s internal Threat Analysis Group and has prompted an urgent patch release.
The vulnerability is classified as a type confusion issue within Chrome’s V8 engine, which handles JavaScript and WebAssembly execution. This marks the second such vulnerability in V8 patched this year, following the earlier CVE-2025-6554. While technical specifics remain undisclosed, a standard practice to prevent further exploitation, the involvement of Google’s elite Threat Analysis Group strongly suggests the bug has been leveraged by state-sponsored threat actors in targeted attacks.
Fixed versions include Chrome v140.0.7339.185/.186 for Windows and macOS, and v140.0.7339.185 for Linux. The update also resolves three additional high-severity vulnerabilities, one of which was identified by Google’s AI-powered bug detection system, Big Sleep.
Users who do not have automatic updates enabled should manually install the latest version and restart the browser to ensure protection. Those using other Chromium-based browsers, such as Edge, Brave, Opera, or Vivaldi, should watch for imminent updates from their respective developers and apply them promptly once available.
(Source: HelpNet Security)
