Google Chrome’s V8 JavaScript engine has been compromised by a critical type confusion zero-day vulnerability, designated CVE-2025-10585, marking the sixth actively exploited Chrome zero-day discovered in 2025.
This high-severity flaw, with an estimated CVSS 3.1 score of 8.8, enables remote code execution through sophisticated memory corruption techniques that bypass Chrome’s sandbox protections.
The vulnerability exploits Chrome’s V8 JavaScript engine through a type confusion attack that manipulates the TurboFan just-in-time compiler’s optimization assumptions.
Security researchers have confirmed active exploitation campaigns targeting cryptocurrency wallets and conducting espionage operations, with threat actors leveraging the flaw to execute arbitrary shellcode and escape Chrome’s renderer process sandbox.
V8 Type Confusion Mechanism
Type confusion vulnerabilities in V8 represent one of the most sophisticated attack vectors against modern browsers.
The CVE-2025-10585 flaw exploits Chrome’s performance optimization systems by corrupting the inline cache (IC) mechanism during JavaScript object property access.
NullSecurityX stated that the vulnerability manifests when malicious JavaScript code creates specially crafted Proxy objects that deceive V8’s type inference system.
During TurboFan compilation, the engine makes critical assumptions about object types based on runtime feedback.
Attackers can subvert these assumptions by implementing custom getter functions that return unexpected data types, causing the compiler to generate incorrect memory access patterns.
The technical exploitation chain begins with creating a JavaScript object containing a Symbol.toPrimitive handler that returns an array when V8 expects a primitive number.
When the ToNumber() conversion operation is invoked repeatedly (typically through arithmetic operations), V8’s Maglev and TurboFan compilers optimize the code path based on incorrect type assumptions.
This code demonstrates how attackers can manipulate V8’s type system to achieve memory corruption.
The vulnerability allows construction of “addrof” and “fakeobj” primitives, essential building blocks for advanced exploitation techniques including return-oriented programming (ROP) chain construction.
| Risk Factors | Details |
| Affected Products | Google Chrome < 140.0.7339.185 (Windows/Linux/macOS) Chromium-based browsers (Edge, Brave, Opera, etc.) |
| Impact | Remote Code Execution |
| Exploit Prerequisites | User visits a malicious web page JavaScript enabled, JIT optimizations active |
| CVSS 3.1 Score | 8.8 (High) |
Exploitation Impact
The attack chain typically begins with social engineering techniques, directing victims to malicious websites containing the exploitation code.
Threat intelligence reports indicate sophisticated actors are chaining this vulnerability with privilege escalation exploits to install persistent malware, steal cryptocurrency private keys, and conduct targeted surveillance operations.
The vulnerability’s network-based attack vector requires only that users visit a compromised website, making it particularly dangerous for widespread exploitation.
Google’s Threat Analysis Group has attributed some exploitation activities to commercial spyware vendors and nation-state actors, highlighting the vulnerability’s strategic value for intelligence operations.
The flaw enables attackers to bypass Chrome’s multi-process architecture and site isolation features, traditionally considered robust defensive mechanisms.
Cryptocurrency security firms have reported wallet drainage attacks specifically targeting Chrome users, with stolen funds traced to addresses associated with known cybercriminal organizations.
These attacks demonstrate the practical financial impact of the vulnerability beyond traditional espionage applications.
The vulnerability affects all Chrome versions prior to 140.0.7339.185 across Windows, macOS, and Linux platforms, as well as Chromium-based browsers, including Microsoft Edge, Brave, and Opera.
Google has released emergency patches addressing the flaw, with automatic updates already deployed to most Chrome installations worldwide.
Organizations should monitor network traffic for suspicious patterns associated with type confusion exploitation techniques and implement application whitelisting where feasible.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
Source link
