Google has released a critical security update for the Chrome browser, addressing four high-severity vulnerabilities, including a zero-day flaw that is already being exploited in the wild.
The actively targeted vulnerability, tracked as CVE-2025-10585, is a type confusion bug in the V8 JavaScript engine, and was discovered by Google's own Threat Analysis Group (TAG) just a day before the fix was issued.
According to the security bulletin published yesterday, the issue affects Chrome users on Windows, macOS, and Linux, and has been resolved in version 140.0.7339.185/.186. While technical details remain restricted to prevent further exploitation, the flaw's classification and location suggest significant security risks, especially given V8's central role in processing and executing JavaScript code within Chrome.
CVE-2025-10585, being a type confusion issue, means the vulnerability stems from the JavaScript engine misidentifying the type of an object during runtime. This kind of error can lead to memory corruption, which attackers can potentially manipulate to execute arbitrary code. When exploited effectively, such flaws can allow attackers to bypass the browser's security sandbox or even take full control of a system if chained with other vulnerabilities.
The latest update also addresses three additional high-severity bugs:
- CVE-2025-10500: A use-after-free flaw in Dawn, a graphics abstraction layer, reported by security researcher Gyujeong Jin (Giunash) on August 3.
- CVE-2025-10501: A use-after-free in WebRTC, responsible for real-time communications in Chrome, submitted by sherkito on August 23.
- CVE-2025-10502: A heap buffer overflow in ANGLE, Chrome's rendering engine component, discovered by Google's Big Sleep team on August 12.
This marks the sixth zero-day vulnerability in Chrome to be exploited in the wild and fixed by Google in 2025, continuing a concerning trend of frequent high-profile security incidents. Previous cases this year involved similarly critical flaws, including CVE-2025-6558, another zero-day discovered by TAG in July that allowed threat actors to escape Chrome's sandbox, and CVE-2025-4664, patched in May, which enabled attackers to compromise user accounts. In June, Google fixed CVE-2025-5419, an out-of-bounds read/write bug in V8, also found by TAG, and CVE-2025-6554, another V8 type confusion bug reported by Google TAG in late June. March saw CVE-2025-2783, a sandbox escape exploited in espionage campaigns against Russian government entities, reported by Kaspersky.
Users are strongly advised to update Chrome to the latest stable version without delay. To perform the update manually, head to Settings > About Chrome and allow the program to check for available updates. A restart will be required for the update to apply.
Leave a Reply