Google Patches Sixth Chrome Zero-Day Exploited In Attacks This Year
Summary:
Yesterday, Google released rolled out emergency security updates to address a zero-day vulnerability in its Chrome browser. Tracked as CVE-2025-10585, the flaw pertains to a type confusion bug in the browser’s V8 JavaScript engine. Successful exploitation could enable actors to execute arbitrary code and potentially bypass the browser’s sandbox. Google says it is aware of an active exploit for CVE-2025-10585 in the wild. However, details regarding exploitation have been limited. The flaw was addressed in 140.0.7339.185/.186 for Windows/Mac, and 140.0.7339.185 for Linux. Users should ensure their browser is updated as soon as possible to prevent potential exploitation.
Security Officer Comments:
CVE-2025-10585 is the sixth zero-day in Chrome that has been actively exploited in attacks or has a public working exploit since the beginning of the year. In July, Google addressed CVE-2025-6558, which could enable actors to escape the browser’s sandbox protection. Whereas, another zero-day (CVE-2025-4664) in Chrome was addressed in May 2025, allowing remote attackers to leak cross-origin data (including OAuth tokens and session IDs) via a crafted HTML page, leading to full account compromise. While exploit details for CVE-2025-10585 have been limited, the ability to execute arbitrary code could pave the way for malware infections, highlighting the need to apply the patches as soon as possible.
Suggested Corrections:
While Chrome will automatically update when new security patches are available, users can speed up the process by going to the Chrome menu > Help > About Google Chrome, letting the update finish, and clicking the 'Relaunch' button to install it immediately
Link(s):
https://www.bleepingcomputer.com/ne...rome-zero-day-exploited-in-attacks-this-year/
Yesterday, Google released rolled out emergency security updates to address a zero-day vulnerability in its Chrome browser. Tracked as CVE-2025-10585, the flaw pertains to a type confusion bug in the browser’s V8 JavaScript engine. Successful exploitation could enable actors to execute arbitrary code and potentially bypass the browser’s sandbox. Google says it is aware of an active exploit for CVE-2025-10585 in the wild. However, details regarding exploitation have been limited. The flaw was addressed in 140.0.7339.185/.186 for Windows/Mac, and 140.0.7339.185 for Linux. Users should ensure their browser is updated as soon as possible to prevent potential exploitation.
Security Officer Comments:
CVE-2025-10585 is the sixth zero-day in Chrome that has been actively exploited in attacks or has a public working exploit since the beginning of the year. In July, Google addressed CVE-2025-6558, which could enable actors to escape the browser’s sandbox protection. Whereas, another zero-day (CVE-2025-4664) in Chrome was addressed in May 2025, allowing remote attackers to leak cross-origin data (including OAuth tokens and session IDs) via a crafted HTML page, leading to full account compromise. While exploit details for CVE-2025-10585 have been limited, the ability to execute arbitrary code could pave the way for malware infections, highlighting the need to apply the patches as soon as possible.
Suggested Corrections:
While Chrome will automatically update when new security patches are available, users can speed up the process by going to the Chrome menu > Help > About Google Chrome, letting the update finish, and clicking the 'Relaunch' button to install it immediately
Link(s):
https://www.bleepingcomputer.com/ne...rome-zero-day-exploited-in-attacks-this-year/