Google has released an emergency security update for its Chrome browser to address a high-severity zero-day vulnerability, designated CVE-2025-10585, which is confirmed to be under active exploitation1. This marks the sixth such zero-day patched in Chrome since the beginning of the year, highlighting a sustained campaign of attacks targeting the world’s most popular web browser. The update, versions 140.0.7339.185/.186 for Windows and macOS and 140.0.7339.185 for Linux, also resolves three other high-severity flaws2. The consistent discovery of these vulnerabilities by Google’s internal Threat Analysis Group (TAG) points to their use in sophisticated, likely state-sponsored, attacks.
The vulnerability, a type confusion issue in the V8 JavaScript and WebAssembly engine, was reported by Google’s TAG on September 16, 20251. Type confusion vulnerabilities occur when code passes a resource of one type to a function that expects a different type, potentially leading to unexpected behavior, browser crashes, or arbitrary code execution. A successful exploit could allow an attacker to escape the browser’s critical security sandbox, granting them the ability to run code on the host operating system. Users are urged to manually trigger an update by navigating to `Help > About Google Chrome` and restarting the browser to apply the patch, which is rolling out globally over the coming days.
**TL;DR: Executive Summary**
* **Event:** Google released an emergency patch for CVE-2025-10585, a zero-day vulnerability in Chrome’s V8 engine being actively exploited.
* **Context:** This is the sixth Chrome zero-day patched in 2025, continuing a pattern of in-the-wild attacks.
* **Technical Risk:** The type confusion flaw can lead to sandbox escape and remote code execution.
* **Action Required:** Immediate update to Chrome version 140.0.7339.185/.186 or later is the primary mitigation.
* **Broader Implication:** The repeated discovery by Google TAG suggests these exploits are used in targeted campaigns against high-value targets.
Technical Analysis of CVE-2025-10585
CVE-2025-10585 is a type confusion vulnerability within the V8 JavaScript engine, the core component responsible for executing JavaScript code in Chrome and other Chromium-based browsers. Type confusion is a common memory corruption class of vulnerability in languages like C++ that underpin V8. It arises when an object is allocated or cast as one type but is later used as another, incompatible type. This can corrupt the program’s memory, allowing an attacker to manipulate data structures, read sensitive memory, or hijack the flow of execution. The specific attack vector likely involves a maliciously crafted HTML page that, when visited, executes JavaScript designed to trigger this type confusion condition, leading to a compromise of the renderer process and a potential sandbox escape.
The 2025 Chrome Zero-Day Timeline
The patching of CVE-2025-10585 continues a concerning trend for Chrome security in 2025. This vulnerability is the sixth zero-day exploited in attacks this year, following a consistent pattern of discoveries primarily by Google’s own Threat Analysis Group. The previous five vulnerabilities provide context for the current threat environment. The first, CVE-2025-2783, was a sandbox escape in the Mojo component exploited against Russian targets in March. This was followed by CVE-2025-4664, an insufficient policy enforcement issue in the Loader that enabled cross-origin data leakage in May.
Notably, two significant vulnerabilities were patched in July. CVE-2025-6554 was another type confusion flaw in the V8 engine. More critically, CVE-2025-6558 was an insufficient input validation vulnerability in the ANGLE graphics layer, which received a CVSS score of 8.83. This flaw was particularly severe as it allowed a remote attacker to perform a sandbox escape via a crafted HTML page by triggering out-of-bounds memory access through specially designed graphics calls. The discovery of multiple sandbox escape vulnerabilities in a single year is a serious concern, as the sandbox is a primary defense mechanism isolating browser activity from the rest of the system.
Additional Vulnerabilities Patched
The September emergency update also addressed three other high-severity vulnerabilities that, while not under active exploitation, represent significant risks. These include CVE-2025-10500, a use-after-free flaw in Dawn, a graphics abstraction layer; CVE-2025-10501, a use-after-free issue in WebRTC, which handles real-time communication; and CVE-2025-10502, a heap buffer overflow in ANGLE2. Use-after-free errors occur when a program continues to use a pointer after it has freed the associated memory, which can also lead to memory corruption and code execution. A heap buffer overflow happens when a program writes more data to a heap-allocated buffer than it can hold, overflowing into adjacent memory. These patches demonstrate Google’s ongoing effort to harden complex browser components that handle untrusted input.
Relevance and Remediation
For security professionals, the persistent emergence of Chrome zero-days necessitates a robust and responsive patch management strategy. The repeated involvement of Google TAG indicates these exploits are likely used in highly targeted attacks, potentially against organizations of strategic interest. System administrators should prioritize the deployment of Chrome version 140.0.7339.185 or later across all enterprise workstations immediately. This update should also be applied to all Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, as they share the same underlying codebase.
Threat intelligence researchers should note the pattern of vulnerabilities, with a focus on the V8 engine and graphics components like ANGLE. Monitoring for exploits or discussions related to these specific CVEs can provide early warning of broader campaigns. Furthermore, the rapid inclusion of previous Chrome zero-days like CVE-2025-5419 into CISA’s Known Exploited Vulnerabilities (KEV) catalog underscores the official recognition of their threat level4. Organizations, especially those in government or critical infrastructure, are mandated to patch KEV-listed vulnerabilities within strict timelines.
Conclusion
The disclosure of CVE-2025-10585 and the five preceding Chrome zero-days in 2025 paints a clear picture of a sustained offensive against the browser. The technical nature of these flaws—often enabling sandbox escape—points to actors with significant resources and expertise. For defenders, this reinforces the non-negotiable requirement of maintaining aggressive update cycles for all client software, especially browsers. The continued success of Google’s TAG in discovering these in-the-wild exploits is a positive sign for detection capabilities, but the high frequency of these events serves as a stark reminder of the constant attention required to maintain security in a complex software environment.
References
- Google Patches Chrome Zero-Day Vulnerability CVE-2025-10585 Exploited in Attacks. (2025, September). The Hacker News.
- Google Chrome 0-Day Vulnerability Exploited in the Wild – Update Now!. (2025, September). CyberSecurityNews.
- A. Hashim, Google Fixes Actively Exploited Chrome Zero-Day Bug. Latest Hacking News.
- Known Exploited Vulnerabilities Catalog. Cybersecurity and Infrastructure Security Agency.
- “Chrome Zero-Day Vulnerabilities (2025 Timeline & Analysis).” The Cyber Security Hub™ on LinkedIn.
- “CVE-2025-5419: Chrome Zero-Day.” Help Net Security.
- “CVE-2025-5419: Chrome Zero-Day.” Authentic8 Cyber Intel Brief.
