The vulnerability, tracked as CVE-2025-10585, has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, signaling an urgent need for users and administrators to take action.
Google has confirmed it is aware that an exploit for this flaw exists in the wild and has released security updates to address the threat.
The vulnerability is a type confusion weakness within Chrome’s V8 JavaScript and WebAssembly engine. A type confusion flaw (CWE-843) occurs when a program attempts to access a resource with an incompatible type, causing it to misinterpret the data.
This can lead to memory corruption, which an attacker can leverage to crash the browser or, more critically, execute arbitrary code on the affected system.
The flaw was discovered and reported by Google’s own Threat Analysis Group (TAG) on September 16, 2025.
While Google has not disclosed technical details about the specific attacks or the threat actors involved, this is a standard practice to prevent wider exploitation before users have a chance to apply the necessary patches.
This marks the sixth Chrome zero-day vulnerability that has been actively exploited in 2025, highlighting a persistent trend of attackers targeting browser vulnerabilities.
In 2025, Google addressed multiple zero-day vulnerabilities in its Chrome web browser that were actively exploited in the wild. These flaws required urgent updates to protect users from potential attacks.
The table below details the Chrome zero-day vulnerabilities that have been discovered and patched throughout the year.
| CVE ID | Vulnerability Type | Description | Exploited in the Wild |
|---|---|---|---|
| CVE-2025-10585 | Type Confusion | A type confusion flaw in the V8 JavaScript engine that could be exploited via a malicious webpage. | Yes |
| CVE-2025-6558 | Improper Input Validation | Insufficient validation of untrusted input in the ANGLE and GPU components, allowing a remote attacker to perform a sandbox escape. | Yes |
| CVE-2025-6554 | Type Confusion | A type confusion vulnerability in the V8 JavaScript and WebAssembly engine, which could allow an attacker to perform arbitrary read/write operations. | Yes |
| CVE-2025-5419 | Out-of-Bounds Access | An out-of-bounds read and write vulnerability in the V8 engine that could allow memory corruption by visiting a crafted webpage. | Yes |
| CVE-2025-2783 | Sandbox Bypass | A critical vulnerability that allows for bypassing Chrome’s sandbox protection. | Yes |
| CVE-2025-4664 | Insufficient policy enforcement | This vulnerability was addressed by Google as a zero-day, but it is unclear if it was actively exploited in malicious attacks. | Insufficient validation of untrusted input in the ANGLE and GPU components allows a remote attacker to perform a sandbox escape. |
In response to the active exploitation, CISA has directed Federal Civilian Executive Branch (FCEB) agencies to apply the necessary security updates by October 14, 2025, in accordance with Binding Operational Directive (BOD) 22-01.
While this directive is mandatory for federal agencies, CISA strongly urges all organizations and individual users to prioritize patching their systems to defend against potential attacks.
To mitigate the vulnerability, users should update their Chrome browser to the latest version:
Users can initiate the update by navigating to Chrome’s menu, selecting “Help,” and then “About Google Chrome,” which will trigger an automatic check for and installation of the latest version.
Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to apply security updates as soon as they become available from their respective vendors.
Enabling automatic updates is highly recommended to ensure prompt protection against future threats.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post CISA Warns of Google Chrome 0-Day Vulnerability Exploited in Attacks appeared first on Cyber Security News.
Mobile Swipe Menu is a vanilla JavaScript library that creates touch-enabled off-canvas side menus for…
tiks is a JavaScript sound effect library that generates iOS-like UI audio feedback at runtime…
LANSING, MI (WOWO) A broad coalition of business groups, housing advocates and environmental organizations is…
LANSING, MI (WOWO) Michigan lawmakers are advancing a series of proposals aimed at reforming the…
A group of unauthorized users has reportedly breached access controls surrounding Claude Mythos Preview, Anthropic’s…
MARSHALL COUNTY, IND. (WOWO) Marshall County commissioners have approved a permanent ban on data centers…
This website uses cookies.