Description
Google has released an emergency update to fix a zero-day vulnerability in the Chrome browser, tracked as CVE-2025-10585. This flaw is already being exploited by attackers in the wild. It affects the V8 JavaScript engine, which handles JavaScript execution in the browser. Users who do not update remain vulnerable to malicious websites that could execute arbitrary code on their devices.
This is the sixth Chrome zero-day exploited in 2025 so far, reinforcing the need for frequent patching and browser security hygiene.
Attack Details
- The vulnerability is a type confusion bug in the V8 JavaScript engine, which could allow attackers to execute arbitrary code in the context of the browser.
- Google confirmed that exploitation exists in the wild, although technical exploit details have not been disclosed.
- The issue was reported by an anonymous security researcher on September 18th, 2025, and patched immediately.
- The vulnerability affects Windows, Mac, and Linux versions of Chrome prior to 0.7339.185/.186.
Remediation
- Update Chrome Immediately: Ensure your browser is updated to version 140.0.7339.185/.186 or later.
- Manual Check: Go to Settings → Help → About Google Chrome to verify the version and apply pending updates.
- Restart the Browser: Updates are not applied until Chrome is restarted do not skip this step.
- Restrict Browser Extensions: Remove or disable unused and untrusted extensions that could increase risk.
- Educate Users: Inform employees and users about the update and remind them to avoid suspicious websites and popups.
- Monitor Browsing Activity: Watch for signs of compromise such as unexpected redirects, crashes, or popup behavior.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Google Patches Actively Exploited Chrome Zero-Day Vulnerability
References