- Google patches four Chrome bugs, including actively exploited zero-day CVE-2025-10585
- The zero-day is a type confusion flaw in V8 allowing potential arbitrary code execution
- Chrome’s popularity makes it a prime target for cybercriminals exploiting browser vulnerabilities
Google has fixed four bugs found in its Chrome browser, including a zero-day that’s apparently being exploited in the wild.
In a security advisory, Google said it patched a heap buffer overflow in ANGLE (CVE-2025-10502), a user-after-free bug in WebRTC (CVE-2025-10501), and a separate use-after-free in Dawn (CVE-2025-10500). The fourth bug, the one being exploited as a zero-day, is a type confusion bug in V8.
A Type Confusion bug in Chrome’s V8 JavaScript engine is a memory safety issue which happens when the engine treats a variable or object as a different type than it actually is. This misidentification can lead to serious issues, including heap corruption and arbitrary code execution.
Abusing zero-days
This is the sixth zero-day vulnerability that Google patched in Chrome in 2025 alone.
In this case, Google said it didn’t want to share too many details before everyone patches up, to protect against further attacks.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” the advisory reads. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
The flaw is now tracked as CVE-2025-10585, and is yet to receive a severity score. It is only described as a “high-severity” bug.
Google fixed it with versions 140.0.7339.185/.186 for Windows/Mac, and 140.0.7339.185 for Linux which will roll out over the coming days and weeks.
Chrome is the most popular browser in the world, with a market share of almost 70%, making it a popular target for cybercriminals.
Miscreants can use browser bugs to gain unauthorized access to sensitive data, compromise user accounts, and even take control of entire systems. These vulnerabilities often allow attackers to bypass security mechanisms like sandboxing or authentication, enabling them to steal credentials, session tokens, or personal information stored in the browser.
Via BleepingComputer
You might also like
- Google warns Salesloft Drift attack may have compromised Workspace accounts and Salesforce instances
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
