Google has launched emergency safety updates to patch a Chrome zero-day vulnerability, the sixth one tagged as exploited in assaults for the reason that begin of the yr.
Whereas it did not particularly say whether or not this safety flaw continues to be being actively abused within the wild, the corporate warned that it has a public exploit, a standard indicator of energetic exploitation.
“Google is conscious that an exploit for CVE-2025-10585 exists within the wild,” Google warned in a safety advisory revealed on Wednesday.
This high-severity zero-day vulnerability is brought on by a sort confusion weak spot within the internet browser’s V8 JavaScript engine, reported by Google’s Menace Evaluation Group on Tuesday.
Google TAG often flags zero-days exploited by government-sponsored menace actors in focused adware campaigns concentrating on high-risk people, together with however not restricted to opposition politicians, dissidents, and journalists.
The corporate mitigated the safety situation at some point later with the discharge of 140.0.7339.185/.186 for Home windows/Mac, and 140.0.7339.185 for Linux, variations that can roll out to the Steady Desktop channel over the approaching weeks.
Whereas Chrome mechanically updates when new safety patches can be found, you possibly can pace up the method by going to the Chrome menu > Assist > About Google Chrome, permitting the replace to complete, after which clicking the ‘Relaunch’ button to put in it instantly.
Though Google has already confirmed that CVE-2025-10585 was utilized in assaults, it nonetheless has to share extra particulars concerning in-the-wild exploitation.
“Entry to bug particulars and hyperlinks could also be stored restricted till a majority of customers are up to date with a repair,” Google stated. “We may even retain restrictions if the bug exists in a 3rd celebration library that different initiatives equally rely upon, however have not but fastened.”
That is the sixth actively exploited Chrome zero-day fastened by Google this yr, with 5 extra patched in March, Could, June, and July.
In July, it addressed one other actively exploited zero-day (CVE-2025-6558) reported by Google TAG researchers, which allowed attackers to flee the browser’s sandbox safety.
Google launched extra emergency safety updates in Could to handle a Chrome zero-day (CVE-2025-4664) that allow attackers hijack accounts, and stuck an out-of-bounds learn and write weak spot (CVE-2025-5419) in Chrome’s V8 JavaScript engine found by Google TAG in June.
In March, it additionally patched a high-severity sandbox escape flaw (CVE-2025-2783) reported by Kaspersky, which was utilized in espionage assaults towards Russian authorities organizations and media retailers.
Final yr, Google patched 10 extra zero-day bugs that have been both demoed throughout Pwn2Own hacking competitions or exploited in assaults.
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and information exfiltration developments.
