Users are strongly urged to update their browsers immediately to protect against potential attacks. The vulnerability, tracked as CVE-2025-10585, is the latest in a series of zero-days discovered and patched in Chrome this year.
The new stable channel version has been updated to 140.0.7339.185/.186 for Windows and Mac, and 140.0.7339.185 for Linux.
Google has stated that the update will be rolling out to all users over the coming days and weeks. To mitigate the immediate threat, users should manually trigger the update process to ensure they are protected.
The actively exploited vulnerability, CVE-2025-10585, is a Type Confusion flaw in the V8 JavaScript and WebAssembly engine.
Type confusion bugs occur when a program allocates a resource or object using one type but later accesses it with a different, incompatible type. This can lead to logical errors, memory corruption, and ultimately, arbitrary code execution.
A successful exploit could allow a remote attacker to escape the browser’s security sandbox by tricking a user into visiting a specially crafted, malicious webpage.
The vulnerability was reported on September 16, 2025, by Google’s own Threat Analysis Group (TAG), which typically finds zero-days being used in targeted attacks by sophisticated threat actors.
In addition to the zero-day, this security update addresses three other high-severity vulnerabilities discovered by external security researchers.
The first, CVE-2025-10500, is a use-after-free vulnerability in Dawn, a graphics abstraction layer. The second, CVE-2025-10501, is also a use-after-free flaw, found in the WebRTC component, which enables real-time communication.
The third vulnerability, CVE-2025-10502, is a heap buffer overflow in ANGLE, a graphics engine translation layer. Use-after-free and heap overflow vulnerabilities can also lead to memory corruption and arbitrary code execution.
Google has awarded bug bounty payments of $15,000 and $10,000 for the discovery of two of these flaws.
Given the confirmation of active exploitation, the risk to unpatched systems is significant. All Google Chrome users on Windows, macOS, and Linux are advised to update their browsers to the latest version without delay.
To check your Chrome version and apply the update, navigate to the “Help” menu and select “About Google Chrome.” The browser will automatically check for and download the latest update, after which a restart will be required to apply the patch.
Google is currently restricting access to the bug details and links related to CVE-2025-10585 to prevent further abuse while the patch is being rolled out to the majority of its user base.
In 2025, Google patched several actively exploited zero-day vulnerabilities in its Chrome web browser, requiring users to update their software promptly to stay protected.
Chrome zero-day vulnerabilities that have been publicly disclosed and patched in 2025:
| CVE ID | Vulnerability Type | Description | Exploited in the Wild |
|---|---|---|---|
| CVE-2025-10585 | Type Confusion | A type confusion flaw in the V8 JavaScript engine that could be exploited via a malicious webpage. | Yes |
| CVE-2025-6558 | Improper Input Validation | Insufficient validation of untrusted input in the ANGLE and GPU components, allowing a remote attacker to perform a sandbox escape. | Yes |
| CVE-2025-6554 | Type Confusion | A type confusion vulnerability in the V8 JavaScript and WebAssembly engine, which could allow an attacker to perform arbitrary read/write operations. | Yes |
| CVE-2025-5419 | Out-of-Bounds Access | An out-of-bounds read and write vulnerability in the V8 engine that could allow memory corruption by visiting a crafted webpage. | Yes |
| CVE-2025-2783 | Sandbox Bypass | A critical vulnerability that allows for bypassing Chrome’s sandbox protection. | Yes |
| CVE-2025-4664 | Insufficient policy enforcement | This vulnerability was addressed by Google as a zero-day, but it is unclear if it was actively exploited in malicious attacks. | Yes |
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post Google Chrome 0-Day Vulnerability Actively Exploited in the Wild – Patch Now appeared first on Cyber Security News.
rangeSlider is a pure Vanilla JavaScript library that converts regular Html5 range inputs into responsive,…
Just another pure JS smooth scroll library to animate the page scrolling to specified anchor…
Screamer isn’t subtle. Screamer is neon-soaked, maximum volume arcade racing that requires both the finesse…
SAN FRANCISCO — RSAC 2026 opens here Monday at Moscone Center, with upwards of 40,000…
The generative AI landscape has moved past its “novelty” phase. While the industry spent 2023…
This website uses cookies.