The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has issued a warning a couple of high-severity zero-day vulnerability in Google Chrome that’s being actively exploited in assaults.
The vulnerability, tracked as CVE-2025-10585, has been added to CISA’s Recognized Exploited Vulnerabilities (KEV) catalog, signaling an pressing want for customers and directors to take motion.
Google has confirmed it’s conscious that an exploit for this flaw exists within the wild and has launched safety updates to deal with the risk.
Understanding the V8 Kind Confusion Flaw
The vulnerability is a sort confusion weak point inside Chrome’s V8 JavaScript and WebAssembly engine. A sort confusion flaw (CWE-843) happens when a program makes an attempt to entry a useful resource with an incompatible sort, inflicting it to misread the information.
This could result in reminiscence corruption, which an attacker can leverage to crash the browser or, extra critically, execute arbitrary code on the affected system.
The flaw was found and reported by Google’s personal Risk Evaluation Group (TAG) on September 16, 2025.
Whereas Google has not disclosed technical particulars in regards to the particular assaults or the risk actors concerned, it is a commonplace apply to forestall wider exploitation earlier than customers have an opportunity to use the mandatory patches.
This marks the sixth Chrome zero-day vulnerability that has been actively exploited in 2025, highlighting a persistent pattern of attackers focusing on browser vulnerabilities.
In 2025, Google addressed a number of zero-day vulnerabilities in its Chrome net browser that have been actively exploited within the wild. These flaws required pressing updates to guard customers from potential assaults.
The desk beneath particulars the Chrome zero-day vulnerabilities which have been found and patched all year long.
CVE IDVulnerability TypeDescriptionExploited within the WildCVE-2025-10585Type ConfusionA sort confusion flaw within the V8 JavaScript engine that might be exploited by way of a malicious webpage.YesCVE-2025-6558Improper Enter ValidationInsufficient validation of untrusted enter within the ANGLE and GPU parts, permitting a distant attacker to carry out a sandbox escape.YesCVE-2025-6554Type ConfusionA sort confusion vulnerability within the V8 JavaScript and WebAssembly engine, which may permit an attacker to carry out arbitrary learn/write operations.YesCVE-2025-5419Out-of-Bounds AccessAn out-of-bounds learn and write vulnerability within the V8 engine that would permit reminiscence corruption by visiting a crafted webpage.YesCVE-2025-2783Sandbox BypassA essential vulnerability that enables for bypassing Chrome’s sandbox safety.YesCVE-2025-4664Insufficient coverage enforcementThis vulnerability was addressed by Google as a zero-day, however it’s unclear if it was actively exploited in malicious assaults.Inadequate validation of untrusted enter within the ANGLE and GPU parts permits a distant attacker to carry out a sandbox escape.
CISA Directive and Really helpful Actions
In response to the energetic exploitation, CISA has directed Federal Civilian Government Department (FCEB) companies to use the mandatory safety updates by October 14, 2025, in accordance with Binding Operational Directive (BOD) 22-01.
Whereas this directive is obligatory for federal companies, CISA strongly urges all organizations and particular person customers to prioritize patching their methods to defend towards potential assaults.
To mitigate the vulnerability, customers ought to replace their Chrome browser to the newest model:
Home windows and macOS: 140.0.7339.185/.186
Linux: 140.0.7339.185
Customers can provoke the replace by navigating to Chrome’s menu, deciding on “Assist,” after which “About Google Chrome,” which can set off an computerized verify for and set up of the newest model.
Customers of different Chromium-based browsers, reminiscent of Microsoft Edge, Courageous, Opera, and Vivaldi, are additionally suggested to use safety updates as quickly as they turn into out there from their respective distributors.
Enabling computerized updates is extremely advisable to make sure immediate safety towards future threats.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
