Google Patches Sixth Chrome Zero-Day Exploited in Attacks This Year — What You Need to Know

Google has released an emergency security update for Chrome to fix a newly discovered high-severity zero-day vulnerability in the V8 JavaScript engine identified as CVE-2025-10585. This kind of flaw is a type-confusion vulnerability and has been confirmed as actively exploited in the wild. This marks as the sixth Chrome zero-day confirmed as being actively exploited this year. Users are urged to update immediately.

What is the Vulnerability?

• Type: Type-confusion flaw in the V8 JavaScript engine.
• ID: CVE-2025-10585.
• Exploit status: Confirmed exploitation “in the wild” — attackers are actively or have actively used this bug.

What Google Did

• Released emergency patches for the Stable Desktop channel:
  • 140.0.7339.185/186 for Windows and macOS.
  • 140.0.7339.185 for Linux.
• Rolling updates are available now; users should update and relaunch Chrome to apply the patch.

Timeline of Zero-Days in 2025

• March 2025 — CVE-2025-2783: Sandbox escape actively exploited in espionage campaigns targeting government and media sectors.
• May 2025 — CVE-2025-4664: Exploit enabled account hijacking.
• June 2025 — CVE-2025-5419: Out-of-bounds read/write in V8 exploited.
• July 2025 — CVE-2025-6558: Sandbox escape flaw exploited in the wild.
• Earlier in 2025 — Another confirmed zero-day patch (details undisclosed due to sensitive exploitation context).
• September 2025 — CVE-2025-10585: Latest V8 JavaScript type-confusion vulnerability, actively exploited.

Why This Matters: The Bigger Picture

• This marks the sixth actively exploited Chrome zero-day this year, underscoring that modern browsers remain a prime target for attackers.
• Attackers are increasingly targeting the V8 engine and sandbox mechanisms, as flaws here provide a direct path to remote code execution and system compromise.
• Google typically delays full technical disclosure until patches have been widely applied, especially for bugs in shared libraries.

Threats & Risks

• Active exploitation means immediate risk to users and organizations.
• Because the bug resides in the JavaScript engine, attack vectors include:
  • Malicious web content.
  • Compromised legitimate sites.
  • Weaponized phishing links.
• Impacts may include:
  • Remote code execution.
  • Data theft and exfiltration.
  • Sandbox escape.
  • Persistent browser-based compromise.

Recommended Actions

1. Update Immediately — open Chrome → Menu → Help → About Google Chrome, wait for the update, then click “Relaunch.”
2. Verify Version — ensure your Chrome build is at or newer than the patched versions.
3. Limit Exposure — avoid visiting untrusted sites or clicking unknown links until patched.
4. Audit Extensions — disable or remove unnecessary extensions; ensure installed extensions are from trusted sources.
5. Apply Layered Defenses — use endpoint protection, browser hardening, and network controls.
6. Monitor — watch for abnormal browser activity or potential compromise indicators.

Conclusion

The recurrence of actively exploited Chrome zero-days highlights the browser’s central role in modern attack chains. Each new flaw is a reminder of how critical patch management is for enterprises and individuals alike. If you use Chrome, prioritize updating immediately and maintain a layered security posture.