Google has released an emergency security update for its Chrome web browser to address a high-severity zero-day vulnerability that is being actively exploited in the wild.
Users are strongly urged to update their browsers immediately to protect against potential attacks. The vulnerability, tracked as CVE-2025-10585, is the latest in a series of zero-days discovered and patched in Chrome this year.
The new stable channel version has been updated to 140.0.7339.185/.186 for Windows and Mac, and 140.0.7339.185 for Linux.
Google has stated that the update will be rolling out to all users over the coming days and weeks. To mitigate the immediate threat, users should manually trigger the update process to ensure they are protected.
Zero-Day Vulnerability Exploited
The actively exploited vulnerability, CVE-2025-10585, is a Type Confusion flaw in the V8 JavaScript and WebAssembly engine.
Type confusion bugs occur when a program allocates a resource or object using one type but later accesses it with a different, incompatible type. This can lead to logical errors, memory corruption, and ultimately, arbitrary code execution.
A successful exploit could allow a remote attacker to escape the browser’s security sandbox by tricking a user into visiting a specially crafted, malicious webpage.
The vulnerability was reported on September 16, 2025, by Google’s own Threat Analysis Group (TAG), which typically finds zero-days being used in targeted attacks by sophisticated threat actors.
Other Vulnerabilities
In addition to the zero-day, this security update addresses three other high-severity vulnerabilities discovered by external security researchers.
The first, CVE-2025-10500, is a use-after-free vulnerability in Dawn, a graphics abstraction layer. The second, CVE-2025-10501, is also a use-after-free flaw, found in the WebRTC component, which enables real-time communication.
The third vulnerability, CVE-2025-10502, is a heap buffer overflow in ANGLE, a graphics engine translation layer. Use-after-free and heap overflow vulnerabilities can also lead to memory corruption and arbitrary code execution.
Google has awarded bug bounty payments of $15,000 and $10,000 for the discovery of two of these flaws.
Given the confirmation of active exploitation, the risk to unpatched systems is significant. All Google Chrome users on Windows, macOS, and Linux are advised to update their browsers to the latest version without delay.
To check your Chrome version and apply the update, navigate to the “Help” menu and select “About Google Chrome.” The browser will automatically check for and download the latest update, after which a restart will be required to apply the patch.
Google is currently restricting access to the bug details and links related to CVE-2025-10585 to prevent further abuse while the patch is being rolled out to the majority of its user base.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
