Google has released emergency security patches to address CVE-2025-10585, a high-severity zero-day bug in the V8 JavaScript engine of Chrome that has been actively exploited, the sixth Chrome zero-day to be patched this year, with criminal hackers continuing to perform advanced exploits with Chrome as well. This vulnerability exists on a large scale, as Google confirms in its security advisory, and it states, “Google is aware that an exploit targeting CVE-2025-10585 is in the wild.
Remote attacks are possible because of a critical V8 engine vulnerability
The V8 JavaScript and WebAssembly engine of the Chrome browser has a type confusion vulnerability, CVE-2025-10585, and was discovered on September 16, 2025, by the Threat Analysis Group of Google. This is the weakness on which the attacker can corrupt or crash the programs or execute malicious code by falsely identifying memory objects as incorrect data types.
The patents granted to the company are less than a day after being discovered, which indicates the dire state of the specified security problem. The existence of type confusion vulnerabilities is most dangerous in browsers because it can lead to enhanced security measures and the execution of remote code by using the intentionally created web pages.
This is a very worrying vulnerability to international internet security since the V8 engine operates with JavaScript code when processing information of billions of websites. The Threat Analysis Team at Google has discovered that, on multiple occasions, the government-sponsored threat attackers utilize zero-day exploits in their targeted spyware attacks. Although such attacks are normally directed towards high-risk individuals, other victims of these attacks are opposition politicians, dissidents, and journalists who are closely monitored.
Sixth Chrome zero-day to be patched in 2025
Despite the fact that Google has not disclosed the technical data of the exploitation methods, the timely response of the company shows that there were active attacks in the wild. The area of interest of the TAG team is the research of nation-state actors and commercial sellers of spyware that introduces an advanced persistent threat.
The given latest vulnerability is a continuation of a disturbing pattern of Chrome zero-days being revealed over the course of the year 2025. Some of the vulnerabilities that have been actively exploited in the past are CVE-2025-6558, a sandbox escape vulnerability fixed in July, and CVE-2025-4664, which allowed account hijacking attacks fixed in May.
Other zero-days of this year are CVE-2025-5419, which is an out-of-bounds read and write vulnerability in the V8 engine found in June, and CVE-2025-2783, a high-severity sandbox break that was a Russian spy attack, which Kaspersky researchers reported in March.
An urgent update is advised to all users
To deal with this vulnerability, Google has published Chrome version 140.0.7339.185/.186 on Windows and macOS, and version 140.0.7339.185 on Linux. The updates will be automatic and will be delivered by the built-in mechanism in Chrome within the next few weeks.
Users can also initiate the updates manually, by visiting Chrome menu Help About Google Chrome, and, after this has been done, the user is able to press the Relaunch button to be immediately provided with the necessary protection. Through this, the latest security patches will be deployed without the need to rely on automatic deployment.
Being a responsible disclosure of standards to avoid further exploitation, Google maintains the information on the vulnerability a secret until the majority of its customers have patched their computers with the security fix, before the patches are actually released into the world. The fact that Chrome zero days are being identified in the 2025 space and are also becoming more important as browsers are being updated, auto-shielding options are being used, as they would help in the endless turmoil of online threats that web browsers are currently having to confront.