Google has released an emergency security update to fix a new zero-day vulnerability in its Chrome web browser, marking the sixth actively exploited flaw patched this year.
The Vulnerability
- The flaw, tracked as CVE-2025-10585, is a type-confusion bug in the V8 JavaScript engine.
- It was discovered and reported by Google’s Threat Analysis Group (TAG).
- Google confirmed that an exploit is already being used in real-world attacks, though details remain restricted until users have widely applied the patch.
Security Update
- Fixed versions:
- 140.0.7339.185/.186 for Windows and macOS
- 140.0.7339.185 for Linux
- The update is rolling out through the Stable Desktop channel and will be available to all users over the coming days.
- Chrome typically updates automatically, but users are urged to manually check via Menu → Help → About Google Chrome and relaunch to ensure protection.
Zero-Days in 2025
This latest fix adds to a growing list of Chrome zero-days exploited this year:
- CVE-2025-2783 – sandbox escape (March), used in espionage against Russian organizations.
- CVE-2025-4664 – account hijacking vulnerability (May).
- CVE-2025-5419 – out-of-bounds read/write in V8 (June).
- CVE-2025-6558 – sandbox escape flaw (July).
- CVE-2025-10585 – type-confusion in V8 (September).
In 2024, Google patched 10 additional zero-day flaws, several of which were demonstrated at hacking contests like Pwn2Own or seen in active attacks.
What Users Should Do
- Update immediately to the latest Chrome version.
- Ensure automatic updates are enabled.
- Stay alert for follow-up security advisories from Google once more details are disclosed.
Google emphasized that it is actively working to protect users against targeted exploitation and will continue to provide fixes as vulnerabilities are discovered.
