Google Patches Chrome Zero-Day CVE-2025-10585 as Active V8 Exploit Threatens Millions

Google released security updates for Chrome to fix four vulnerabilities, including an actively exploited zero-day, CVE-2025-10585 — a type-confusion bug in the V8 JavaScript / WebAssembly engine that can lead to arbitrary code execution when a user visits a crafted webpage. Google’s Threat Analysis Group (TAG) reported the flaw on 16 September 2025 and confirmed an exploit exists in the wild. Technical details have been withheld to limit further abuse. 

This is the sixth Chrome zero-day publicly tied to active exploitation in 2025 (alongside CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, CVE-2025-6554 and CVE-2025-6558). Google patched the issue as part of Chrome v140.0.7339.185 / .186 (Windows/macOS) and 140.0.7339.185 (Linux). Other Chromium-based browsers (Edge, Brave, Opera, Vivaldi) should also apply vendor updates when available. 

Type-confusion bugs in V8 are powerful: by tricking the engine into misinterpreting memory layout an attacker can corrupt memory, crash the browser, or gain code execution on the host — all just by getting a user to load a malicious page or content. Because an exploit for CVE-2025-10585 is already being used in the wild, unpatched systems are at immediate risk. 

What you should do 

Patch immediately (highest priority) 

• Update Google Chrome to 140.0.7339.185 / 140.0.7339.186 (Windows/macOS) or 140.0.7339.185 (Linux). 

• End-user: Menu → Help → About Google Chrome → Relaunch. 

• Enterprise: deploy the browser update via your normal patch/update management (SCCM, Intune, WSUS, enterprise Chrome auto-update or ADMX policy). 

• Apply vendor updates for other Chromium-based browsers (Edge, Brave, Opera, Vivaldi) as soon as vendor patches are released. 

Inventory & enforce update posture 

• Inventory all endpoints that run Chromium engines and prioritize high-risk hosts (exposed servers, admin workstations, R&D, privileged users). 

• Enforce automatic updates or centrally manage browser versions to prevent lagging builds. 

Immediate mitigations (if patching is delayed) 

• Restrict access to high-risk browsing (block or isolate web browsing from privileged endpoints). 

• Consider applying network layer protections (URL filtering, proxy/NGFW rules) to block suspicious / untrusted sites. 

• Enable Chrome hardening features where feasible (Site Isolation, strict extension policies, disable unnecessary plugins) until fully patched. 

 If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.