The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a high-severity zero-day vulnerability in Google Chrome that is being actively exploited in attacks.
The vulnerability, tracked as CVE-2025-10585, has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, signaling an urgent need for users and administrators to take action.
Google has confirmed it is aware that an exploit for this flaw exists in the wild and has released security updates to address the threat.
Understanding the V8 Type Confusion Flaw
The vulnerability is a type confusion weakness within Chrome’s V8 JavaScript and WebAssembly engine. A type confusion flaw (CWE-843) occurs when a program attempts to access a resource with an incompatible type, causing it to misinterpret the data.
This can lead to memory corruption, which an attacker can leverage to crash the browser or, more critically, execute arbitrary code on the affected system.
The flaw was discovered and reported by Google’s own Threat Analysis Group (TAG) on September 16, 2025.
While Google has not disclosed technical details about the specific attacks or the threat actors involved, this is a standard practice to prevent wider exploitation before users have a chance to apply the necessary patches.
This marks the sixth Chrome zero-day vulnerability that has been actively exploited in 2025, highlighting a persistent trend of attackers targeting browser vulnerabilities.
In 2025, Google addressed multiple zero-day vulnerabilities in its Chrome web browser that were actively exploited in the wild. These flaws required urgent updates to protect users from potential attacks.
The table below details the Chrome zero-day vulnerabilities that have been discovered and patched throughout the year.
| CVE ID | Vulnerability Type | Description | Exploited in the Wild |
|---|---|---|---|
| CVE-2025-10585 | Type Confusion | A type confusion flaw in the V8 JavaScript engine that could be exploited via a malicious webpage. | Yes |
| CVE-2025-6558 | Improper Input Validation | Insufficient validation of untrusted input in the ANGLE and GPU components, allowing a remote attacker to perform a sandbox escape. | Yes |
| CVE-2025-6554 | Type Confusion | A type confusion vulnerability in the V8 JavaScript and WebAssembly engine, which could allow an attacker to perform arbitrary read/write operations. | Yes |
| CVE-2025-5419 | Out-of-Bounds Access | An out-of-bounds read and write vulnerability in the V8 engine that could allow memory corruption by visiting a crafted webpage. | Yes |
| CVE-2025-2783 | Sandbox Bypass | A critical vulnerability that allows for bypassing Chrome’s sandbox protection. | Yes |
| CVE-2025-4664 | Insufficient policy enforcement | This vulnerability was addressed by Google as a zero-day, but it is unclear if it was actively exploited in malicious attacks. | Insufficient validation of untrusted input in the ANGLE and GPU components allows a remote attacker to perform a sandbox escape. |
CISA Directive and Recommended Actions
In response to the active exploitation, CISA has directed Federal Civilian Executive Branch (FCEB) agencies to apply the necessary security updates by October 14, 2025, in accordance with Binding Operational Directive (BOD) 22-01.
While this directive is mandatory for federal agencies, CISA strongly urges all organizations and individual users to prioritize patching their systems to defend against potential attacks.
To mitigate the vulnerability, users should update their Chrome browser to the latest version:
- Windows and macOS: 140.0.7339.185/.186
- Linux: 140.0.7339.185
Users can initiate the update by navigating to Chrome’s menu, selecting “Help,” and then “About Google Chrome,” which will trigger an automatic check for and installation of the latest version.
Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to apply security updates as soon as they become available from their respective vendors.
Enabling automatic updates is highly recommended to ensure prompt protection against future threats.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
Source link
