Google has released emergency fixes for a high-severity zero-day vulnerability in Chrome's V8 JavaScript engine, marking the sixth actively exploited flaw patched in 2025. The type confusion weakness (CVE-2025-10585) was discovered by Google's Threat Analysis Group and is being weaponized in targeted attacks. This continued pattern highlights escalating risks to browser security and high-risk individuals worldwide.
For the sixth time this year, Google has scrambled to patch an actively exploited zero-day vulnerability in its Chrome browser. The high-severity flaw, tracked as CVE-2025-10585, stems from a type confusion weakness in Chrome's V8 JavaScript engine – the core component responsible for executing JavaScript code. Google's Threat Analysis Group (TAG), which frequently uncovers espionage campaigns targeting journalists, dissidents, and politicians, reported the vulnerability just one day before the emergency patch was released.
"Google is aware that an exploit for CVE-2025-10585 exists in the wild," the company acknowledged in its security advisory, though full technical details remain restricted to prevent further exploitation while updates roll out globally. The fix arrives in versions 140.0.7339.185/.186 for Windows/Mac and 140.0.7339.185 for Linux, with Chrome automatically applying patches upon restart.
Chrome's update screen showing patched version (Image: BleepingComputer)
This marks a concerning acceleration in Chrome zero-day discoveries:
- July 2025: Sandbox escape flaw (CVE-2025-6558) patched
- June 2025: V8 engine flaws (CVE-2025-5419) fixed
- May 2025: Account hijacking vulnerability (CVE-2025-4664) addressed
- March 2025: Russian-targeted espionage exploit (CVE-2025-2783) mitigated
Type confusion vulnerabilities – where code passes unexpected data types to engine operations – remain a prime attack vector. As browser exploits increasingly target foundational components like V8, the implications extend beyond Chrome to any framework embedding Chromium. While Google's rapid response demonstrates improved defensive capabilities, the recurring pattern underscores how browser engines have become critical infrastructure requiring constant vigilance. Developers should verify their Chrome installations are updated immediately via chrome://settings/help, and security teams must treat browser updates as emergency operations rather than routine maintenance.
Source: BleepingComputer
Comments
Please log in or register to join the discussion