Google has released emergency security updates to patch a Chrome zero-day vulnerability, the sixth one tagged as exploited in attacks since the start of the year.
While it didn’t specifically say whether this security flaw is still being actively abused in the wild, the company warned that it has a public exploit, a common indicator of active exploitation.
“Google is aware that an exploit for CVE-2025-10585 exists in the wild,” Google warned in a security advisory published on Wednesday.
This high-severity zero-day vulnerability is caused by a type confusion weakness in the web browser’s V8 JavaScript engine, reported by Google’s Threat Analysis Group on Tuesday.
Google TAG frequently flags zero-days exploited by government-sponsored threat actors in targeted spyware campaigns targeting high-risk individuals, including but not limited to opposition politicians, dissidents, and journalists.
The company mitigated the security issue one day later with the release of 140.0.7339.185/.186 for Windows/Mac, and 140.0.7339.185 for Linux, versions that will roll out to the Stable Desktop channel over the coming weeks.
While Chrome automatically updates when new security patches are available, you can speed up the process by going to the Chrome menu > Help > About Google Chrome, allowing the update to finish, and then clicking the ‘Relaunch’ button to install it immediately.
Although Google has already confirmed that CVE-2025-10585 was used in attacks, it still has to share additional details regarding in-the-wild exploitation.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
This is the sixth actively exploited Chrome zero-day fixed by Google this year, with five more patched in March, May, June, and July.
In July, it addressed another actively exploited zero-day (CVE-2025-6558) reported by Google TAG researchers, which allowed attackers to escape the browser’s sandbox protection.
Google released additional emergency security updates in May to address a Chrome zero-day (CVE-2025-4664) that let attackers hijack accounts, and fixed an out-of-bounds read and write weakness (CVE-2025-5419) in Chrome’s V8 JavaScript engine discovered by Google TAG in June.
In March, it also patched a high-severity sandbox escape flaw (CVE-2025-2783) reported by Kaspersky, which was used in espionage attacks against Russian government organizations and media outlets.
Last year, Google patched 10 more zero-day bugs that were either demoed during Pwn2Own hacking competitions or exploited in attacks.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
Source link
