Google has released an update for its Chrome browser to patch four security flaws, including a critical zero-day vulnerability already being actively exploited by cyber attackers. The most serious issue, tracked as CVE-2025-10585, affects the widely used V8 JavaScript and WebAssembly engine inside Chrome.
This vulnerability is particularly concerning because Chrome powers billions of devices worldwide, and any active exploit can put millions of users at risk.
CVE-2025-10585 is described as a type confusion vulnerability. In simple terms, type confusion happens when a program mistakenly treats data as the wrong type. This error can allow attackers to trick the software into executing malicious code, crashing the program, or taking unauthorized control of a device.
For everyday users, this means that visiting a malicious website or opening an infected page could allow hackers to run harmful commands without their knowledge. Such exploits are often used to steal personal information, install malware, or gain remote access to a computer.
The flaw was discovered and reported on September 16, 2025, by Google’s Threat Analysis Group (TAG), a team that investigates real-world cyber threats. According to Google’s advisory, the vulnerability is already being exploited in the wild, meaning attackers are actively using it before a patch is widely applied.
As with most zero-day reports, Google did not release detailed technical information. This decision is intentional—it prevents other hackers from quickly replicating the exploit while users are still updating their systems.
This is not the first time Chrome users have faced urgent updates in 2025. In fact, CVE-2025-10585 is the sixth zero-day vulnerability discovered in Chrome this year alone. Other high-profile flaws fixed earlier include:
-
CVE-2025-2783
-
CVE-2025-4664
-
CVE-2025-5419
-
CVE-2025-6554
-
CVE-2025-6558
This trend highlights how Chrome, as the world’s most popular browser, remains a top target for cybercriminals. Attackers know that exploiting a widely used platform gives them the largest pool of victims.
Google has rolled out patched versions of Chrome to close these security gaps. Users should immediately update to the following versions:
-
Windows & macOS: Chrome 140.0.7339.185 or 140.0.7339.186
-
Linux: Chrome 140.0.7339.185
To update Chrome:
-
Open Chrome.
-
Click the three-dot menu in the top-right corner.
-
Navigate to Help > About Google Chrome.
-
Chrome will automatically check for updates.
-
Click Relaunch to complete the installation.
Updating only takes a few seconds, but it could prevent your device from being compromised by attackers.
It’s important to note that Chrome isn’t the only browser affected. Many other browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are based on the same Chromium engine. These browsers will also need to release their own security patches. Users of these browsers should keep an eye out for updates and install them as soon as they are available.
A zero-day exploit refers to a security flaw that hackers start using before the software vendor can provide a fix. Since users and companies are often unaware of the problem, attackers have a “zero-day advantage.” This makes zero-days one of the most dangerous tools in a hacker’s arsenal.
They are often sold on underground markets to state-sponsored groups, cybercriminal gangs, and other malicious actors who use them for:
Espionage – stealing government or corporate secrets
Financial fraud – capturing banking or payment data
Malware delivery – installing ransomware or spyware
System compromise – gaining remote control of a device
With billions of Chrome users worldwide, even a small percentage of exploited systems could impact millions of people. Cybercriminals only need one click from an unpatched user to launch a successful attack.
This is why experts strongly recommend enabling automatic updates in Chrome. By default, Chrome downloads updates in the background and applies them when the browser restarts. However, many users leave their browsers running for days or weeks without restarting, delaying the fix.
Google’s quick response to CVE-2025-10585 shows the company’s commitment to protecting its users from high-risk threats. But the increasing number of zero-days in 2025 also reminds us of a hard truth: browsers will always be high-value targets, and attackers are constantly looking for new ways in.
The best defense is simple: keep your browser updated. Whether you use Chrome, Edge, Brave, Opera, or Vivaldi, make sure you install the latest version as soon as possible. For organizations, IT teams should roll out security patches immediately across all devices to reduce exposure.
Staying one step ahead of attackers requires vigilance, quick updates, and awareness. With zero-day attacks on the rise, now is the time to make browser security a top priority.
Interesting Article : CVE-2025-43300, Apple Issues Backported Fix After Spyware Exploitation
Pingback: Fortra Patches Critical CVSS 10.0 Flaw in GoAnywhere MFT (CVE-2025-10035)