introduction
Google has urgently released a security update to address a critical zero-day vulnerability (CVE-2025-10585) in its Chrome web browser, marking the sixth such incident actively exploited in 2025. The flaw, rooted in Chrome’s V8 JavaScript engine, was already being leveraged in real-world attacks when Google’s Threat Analysis Group (TAG) discovered it. This report expands on the initial coverage by providing technical context, incident progression, and recommendations for users and organizations.
The core issue, CVE-2025-10585, is a type confusion vulnerability in the V8 JavaScript engine. Type confusion bugs occur when the browser misidentifies the type of an object at runtime, potentially causing memory corruption. Attackers can exploit this flaw to manipulate internal memory structures, which may result in:
Access to detailed technical information remains restricted, minimizing risk of further abuse before widespread patch adoption.
The flaw impacts Chrome users on Windows, macOS, and Linux. There is no documented evidence of exploitation against mobile or Chromium-based browsers outside the listed desktop environments at this time.
Notably, Google TAG has previously observed these types of flaws leveraged in targeted espionage and surveillance campaigns, particularly those attributed to government-backed actors aiming at journalists, political activists, and dissidents.
Google responded with immediate deployment of fixed versions. Users should upgrade Chrome to version 140.0.7339.185/.186 or later. For those who have not received the automatic update, navigating to Chrome’s menu > Help > About Google Chrome and triggering a restart will apply the patch.
Chrome’s automatic update mechanism is typically effective, but those requiring urgent mitigation should verify their browser version manually.
Google continues restricting full technical details and public exploit samples until the majority of users are protected and third-party dependencies are patched, following its coordinated vulnerability disclosure policies.
CVE-2025-10585 is the sixth zero-day vulnerability actively exploited against Chrome in 2025, highlighting the persistent targeting of Chrome users by threat actors:
This continued pattern emphasizes the attractiveness of browser exploitation as an avenue for both cybercrime and nation-state operations.
The V8 JavaScript engine is central to Chrome’s performance and security, processing all client-side scripting on websites. Its complexity, efficiency, and integration with other browser components make it a high-value target for attackers. Type confusion vulnerabilities are historically responsible for many serious browser security incidents due to the challenge in preventing incorrect type assignments and associated memory errors.
Google’s Threat Analysis Group has played a lead role in both discovering these threats and attributing them to advanced persistent threat actors, often with links to surveillanceware distribution and government operations.
Table 1: Recent Chrome Zero-Day Exploits in 2025
|
CVE ID |
Date Patched |
Vulnerability Type |
Attack Outcome |
Reporter/Discoverer |
|
CVE-2025-10585 |
Sep 17, 2025 |
Type confusion (V8) |
Arbitrary code execution |
Google TAG |
|
CVE-2025-6558 |
July 2025 |
Sandbox escape |
Code execution outside sandbox |
Google TAG |
|
CVE-2025-4664 |
May 2025 |
Privilege escalation |
Account hijacking |
Google TAG |
|
CVE-2025-5419 |
June 2025 |
Out-of-bounds read/write (V8) |
System compromise |
Google TAG |
|
CVE-2025-2783 |
March 2025 |
Sandbox escape |
Espionage, targeted attacks |
Kaspersky |
Table 2: Relevant Chrome Version Information
|
Platform |
Patched Version |
|
Windows |
140.0.7339.185/.186 |
|
macOS |
140.0.7339.185/.186 |
|
Linux |
140.0.7339.185 |
SUPPORTING DOCUMENTATION