The vulnerability, tracked as CVE-2025-10585, has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, signaling an urgent need for users and administrators to take action.
Google has confirmed it is aware that an exploit for this flaw exists in the wild and has released security updates to address the threat.
The vulnerability is a type confusion weakness within Chrome’s V8 JavaScript and WebAssembly engine. A type confusion flaw (CWE-843) occurs when a program attempts to access a resource with an incompatible type, causing it to misinterpret the data.
This can lead to memory corruption, which an attacker can leverage to crash the browser or, more critically, execute arbitrary code on the affected system.
The flaw was discovered and reported by Google’s own Threat Analysis Group (TAG) on September 16, 2025.
While Google has not disclosed technical details about the specific attacks or the threat actors involved, this is a standard practice to prevent wider exploitation before users have a chance to apply the necessary patches.
This marks the sixth Chrome zero-day vulnerability that has been actively exploited in 2025, highlighting a persistent trend of attackers targeting browser vulnerabilities.
In 2025, Google addressed multiple zero-day vulnerabilities in its Chrome web browser that were actively exploited in the wild. These flaws required urgent updates to protect users from potential attacks.
The table below details the Chrome zero-day vulnerabilities that have been discovered and patched throughout the year.
| CVE ID | Vulnerability Type | Description | Exploited in the Wild |
|---|---|---|---|
| CVE-2025-10585 | Type Confusion | A type confusion flaw in the V8 JavaScript engine that could be exploited via a malicious webpage. | Yes |
| CVE-2025-6558 | Improper Input Validation | Insufficient validation of untrusted input in the ANGLE and GPU components, allowing a remote attacker to perform a sandbox escape. | Yes |
| CVE-2025-6554 | Type Confusion | A type confusion vulnerability in the V8 JavaScript and WebAssembly engine, which could allow an attacker to perform arbitrary read/write operations. | Yes |
| CVE-2025-5419 | Out-of-Bounds Access | An out-of-bounds read and write vulnerability in the V8 engine that could allow memory corruption by visiting a crafted webpage. | Yes |
| CVE-2025-2783 | Sandbox Bypass | A critical vulnerability that allows for bypassing Chrome’s sandbox protection. | Yes |
| CVE-2025-4664 | Insufficient policy enforcement | This vulnerability was addressed by Google as a zero-day, but it is unclear if it was actively exploited in malicious attacks. | Insufficient validation of untrusted input in the ANGLE and GPU components allows a remote attacker to perform a sandbox escape. |
In response to the active exploitation, CISA has directed Federal Civilian Executive Branch (FCEB) agencies to apply the necessary security updates by October 14, 2025, in accordance with Binding Operational Directive (BOD) 22-01.
While this directive is mandatory for federal agencies, CISA strongly urges all organizations and individual users to prioritize patching their systems to defend against potential attacks.
To mitigate the vulnerability, users should update their Chrome browser to the latest version:
Users can initiate the update by navigating to Chrome’s menu, selecting “Help,” and then “About Google Chrome,” which will trigger an automatic check for and installation of the latest version.
Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to apply security updates as soon as they become available from their respective vendors.
Enabling automatic updates is highly recommended to ensure prompt protection against future threats.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post CISA Warns of Google Chrome 0-Day Vulnerability Exploited in Attacks appeared first on Cyber Security News.
Matt Murdock – aka Daredevil! – is back for Season 2 of Daredevil: Born Again…
HADLEY — A 75,000-square-foot cap on the size of retail businesses, put in place 20…
AMHERST — Representatives from the union for Amherst Department of Public Works employees say their…
The post Photos: A sweet haul appeared first on Daily Hampshire Gazette.
rangeSlider is a pure Vanilla JavaScript library that converts regular Html5 range inputs into responsive,…
Just another pure JS smooth scroll library to animate the page scrolling to specified anchor…
This website uses cookies.