⚠ Actively exploited
Added to CISA KEV on 2025-09-23. Federal agencies required to patch by 2025-10-14. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2025-10585Type Confusion in Google Chrome

CWE-843Type Confusion19 documents13 sources
Severity
9.8CRITICALNVD
EPSS
0.7%
top 27.97%
CISA KEV
KEV
Added 2025-09-23
Due 2025-10-14
Exploit
No known exploits
Affected products
3
Google ChromeChromiumPaloalto Prisma Browser
Timeline
KEV addedSep 23
PublishedSep 24
KEV dueOct 14
Latest updateDec 11
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Type confusion in V8 in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

CVEListV5google/chrome140.0.7339.185140.0.7339.185
NVDgoogle/chrome< 140.0.7339.185
Debianchromium/chromium< 140.0.7339.185-1~deb12u1+2

🔴Vulnerability Details

4
CVEList
CVE-2025-10585: Type confusion in V8 in Google Chrome prior to 1402025-09-24
OSV
CVE-2025-10585: Type confusion in V8 in Google Chrome prior to 1402025-09-24
GHSA
GHSA-hmrc-68hp-82x6: Type confusion in V8 in Google Chrome prior to 1402025-09-24
VulnCheck
Google Chromium V8 Type Confusion Vulnerability2025

📋Vendor Advisories

6
Chrome
Long Term Support Channel Update for ChromeOS: CVE-2025-105852025-10-10
Palo Alto
PAN-SA-2025-0016 Chromium: Monthly Vulnerability Update (October 2025)2025-10-08
CISA
Google Chromium V8 Type Confusion Vulnerability2025-09-23
Chrome
Stable Channel Update for Desktop: CVE-2025-105022025-09-17
Microsoft
Chromium: CVE-2025-10585 Type Confusion in V82025-09-09

🕵️Threat Intelligence

8
Bleepingcomputer
Google fixes eighth Chrome zero-day exploited in attacks in 20252025-12-11
Bleepingcomputer
Google fixes new Chrome zero-day flaw exploited in attacks2025-11-18
Qualys
Patch Automation for Browsers with TruRisk™ Eliminate2025-09-24
Qualys
Automated Browser Patching with Qualys TruRisk™ Eliminate | Qualys2025-09-24
Bleepingcomputer
Google patches sixth Chrome zero-day exploited in attacks this year2025-09-18
CVE-2025-10585 — Type Confusion in Google Chrome | cvebase