THREAT SUMMARY

Google has released urgent security updates for the Chrome browser to patch CVE-2025- 10585, a zero-day type confusion vulnerability in Chrome’s V8 JavaScript and WebAssembly engine. The flaw is already being actively exploited in the wild, posing a severe risk of remote code execution (RCE) and program crashes. This marks the sixth Chrome zero-day of 2025, underscoring the persistent targeting of widely used browsers by threat actors.

TECHNICAL DETAILS

• Vulnerability ID: CVE-2025-10585
• Vulnerability Type: Type confusion in V8 JavaScript & WebAssembly engine
• Impact: Arbitrary code execution, browser crashes, possible system compromise
• Discovery: Reported by Google Threat Analysis Group (TAG) on September 16, 2025
• Exploitation: Confirmed active exploitation in the wild
• Related Zero-Days in 2025: CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, CVE-2025-6554, CVE-2025-6558

AFFECTED VERSIONS

• Google Chrome (all platforms) before:
o Windows & macOS: 140.0.7339.185/.186
o Linux: 140.0.7339.185

• Other Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi) may also be affected until vendors release updates.

RECOMMENDED ACTIONS

1. Update Chrome Immediately
o Navigate to More > Help > About Google Chrome > Relaunch to ensure latest patch is applied.
2. Apply Updates on Chromium-Based Browsers once fixes are available.
3. Restart browsers and systems after updating to clear any exploited processes.
4. Enable automatic updates where possible to stay ahead of new threats.
5. Monitor security advisories for updates on exploitation details and patch status.

REFERENCE

The Hacker News
Google Chrome Releases
BleepingComputer
SL-CSIRT