Google has issued an emergency security update for its Chrome browser following the discovery of a critical zero-day vulnerability actively being exploited by threat actors. On September 16, 2025, Google’s Threat Analysis Group identified CVE-2025-10585, a type confusion flaw in the V8 JavaScript engine that powers Chrome’s web rendering capabilities. This vulnerability allows attackers to corrupt memory by misinterpreting data types during JavaScript execution on malicious websites, potentially enabling remote code execution (RCE) on victims’ devices. Such exploits can lead to full system compromise, data theft, or malware installation without user interaction, making it a high-risk threat for everyday web users, enterprises, and organizations relying on Chrome.
The patch was rolled out swiftly on September 17, 2025, via Chrome version 140.0.7339.185 for Linux and 140.0.7339.185/.186 for Windows and macOS. This update not only addresses the zero-day but also fixes three additional high-severity issues: a use-after-free bug in Dawn (CVE-2025-10500), another in WebRTC (CVE-2025-10501), and a heap buffer overflow in ANGLE (CVE-2025-10502). Google has withheld technical details on the exploitation method to limit further attacks, but confirmed real-world abuse. Users are strongly advised to update immediately through Chrome’s settings menu, as automatic updates may take time. For businesses, enhanced network monitoring and vulnerability scanning are recommended to detect and mitigate potential breaches. This incident underscores the ongoing cat-and-mouse game in cybersecurity, where zero-days like this highlight the importance of timely patching in browser ecosystems
Leave A Comment