CVE-2025-10585
published 2025-09-24CVE-2025-10585: Type confusion in V8 in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-10-14
Exploited in the wild
EPSS
5.42%
91.7th percentile
Type confusion in V8 in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 140.0.7339.185-1~deb12u1 | 140.0.7339.185-1~deb12u1 |
| chromium | chromium | >= 0 < 140.0.7339.185-1~deb13u1 | 140.0.7339.185-1~deb13u1 |
| chromium | chromium | >= 0 < 140.0.7339.185-1 | 140.0.7339.185-1 |
| debian | chromium | < chromium 140.0.7339.185-1~deb12u1 (bookworm) | chromium 140.0.7339.185-1~deb12u1 (bookworm) |
| chrome | < 140.0.7339.185 | 140.0.7339.185 | |
| chrome | >= 140.0.7339.185 < 140.0.7339.185 | 140.0.7339.185 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
| paloalto | prisma_browser | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Google TAG reported this zero-day; exploitation pattern is consistent with government-sponsored threat actors targeting high-risk individuals (opposition politicians, dissidents, journalists) via crafted HTML pages delivered remotely. ↗
- →An in-the-wild exploit for CVE-2025-10585 has been confirmed by Google; treat any Chrome version prior to 140.0.7339.185 as actively exploitable. ↗
- →The vulnerability is a type confusion in V8 triggered via a crafted HTML page; monitor for suspicious renderer process crashes or unusual V8 JIT activity that may indicate heap corruption attempts. ↗
- ·The fix is rolling out gradually to the Stable Desktop channel; not all users will receive it immediately, so endpoint version checks are necessary to confirm patch status. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2025-10585: Type confusion in V8 in Google Chrome prior to 140
osv·2025-09-24·CVSS 9.8
CVE-2025-10585 [CRITICAL] CVE-2025-10585: Type confusion in V8 in Google Chrome prior to 140
Type confusion in V8 in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
GHSA
GHSA-hmrc-68hp-82x6: Type confusion in V8 in Google Chrome prior to 140
ghsa_unreviewed·2025-09-24
CVE-2025-10585 [HIGH] CWE-843 GHSA-hmrc-68hp-82x6: Type confusion in V8 in Google Chrome prior to 140
Type confusion in V8 in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
VulnCheck
Google Chromium V8 Type Confusion Vulnerability
vulncheck·2025·CVSS 9.8
CVE-2025-10585 [CRITICAL] CWE-843 Google Chromium V8 Type Confusion Vulnerability
Google Chromium V8 Type Confusion Vulnerability
Google Chromium contains a type confusion vulnerability in the V8 JavaScript and WebAssembly engine.
Affected: Google Chromium V8
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html?m=1; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://research.checkpoint.com/2025/22nd-september-threat-intelligence-report/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://hs-8813571.f.hubspotemail.net/hubfs/8813571/PERISCOPE
Chrome
Long Term Support Channel Update for ChromeOS: CVE-2025-10585
vendor_chrome·2025-10-10·CVSS 9.8
CVE-2025-10585 [CRITICAL] Long Term Support Channel Update for ChromeOS: CVE-2025-10585
Long Term Support Channel Update for ChromeOS
CVE-2025-10585
Palo Alto
PAN-SA-2025-0016 Chromium: Monthly Vulnerability Update (October 2025)
vendor_paloalto·2025-10-08·CVSS 8.8
CVE-2025-9132 [HIGH] PAN-SA-2025-0016 Chromium: Monthly Vulnerability Update (October 2025)
PAN-SA-2025-0016 Chromium: Monthly Vulnerability Update (October 2025)
Palo Alto Networks incorporated the following Chromium security fixes into our products: https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_23.html https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_9.html CVE Summary CVE-2025-9132 Out of bounds write in V8 CVE-2025-9478 Use after free in ANGLE CVE-2025-9864 Use after free in V8 CVE-2025-9865 Inappropriate implementation in Toolbar CVE-2025-9866 Inappropriate implementation in Extensions CVE-2025-9867 Inappropriate implementation in Downloads CVE-2025-10200 Use after free in Serviceworker CVE-2025-10201 Inappropriate implemen
CISA
Google Chromium V8 Type Confusion Vulnerability
cisa·2025-09-23·CVSS 9.8
CVE-2025-10585 [CRITICAL] CWE-843 Google Chromium V8 Type Confusion Vulnerability
Vulnerability: Google Chromium V8 Type Confusion Vulnerability
Affected: Google Chromium V8
Google Chromium contains a type confusion vulnerability in the V8 JavaScript and WebAssembly engine.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-10585
Remediation Due Date: 2025-10-14
Chrome
Stable Channel Update for Desktop: CVE-2025-10502
vendor_chrome·2025-09-17·CVSS 8.8
CVE-2025-10502 [HIGH] Stable Channel Update for Desktop: CVE-2025-10502
Stable Channel Update for Desktop
CVE-2025-10502: Heap buffer overflow in ANGLE. Reported by Google Big Sleep on 2025-08-12 Google is aware that an exploit for CVE-2025-10585 exists in the wild
Severity: high
Microsoft
Chromium: CVE-2025-10585 Type Confusion in V8
vendor_msrc·2025-09-09·CVSS 9.8
CVE-2025-10585 [CRITICAL] Chromium: CVE-2025-10585 Type Confusion in V8
Chromium: CVE-2025-10585 Type Confusion in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware that an exploit for CVE-2025-10585 exists in the wild.
FAQ: What is the version information for this release?
Microsoft Edge Version
Date Released
Based on Chromium Version
140.0.3485.81
09/19/2025
140.0.7339.186
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is n
Debian
CVE-2025-10585: chromium - Type confusion in V8 in Google Chrome prior to 140.0.7339.185 allowed a remote a...
vendor_debian·2025·CVSS 9.8
CVE-2025-10585 [CRITICAL] CVE-2025-10585: chromium - Type confusion in V8 in Google Chrome prior to 140.0.7339.185 allowed a remote a...
Type confusion in V8 in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Scope: local
bookworm: resolved (fixed in 140.0.7339.185-1~deb12u1)
bullseye: open
forky: resolved (fixed in 140.0.7339.185-1)
sid: resolved (fixed in 140.0.7339.185-1)
trixie: resolved (fixed in 140.0.7339.185-1~deb13u1)
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Google fixes eighth Chrome zero-day exploited in attacks in 2025
blogs_bleepingcomputer·2025-12-11·CVSS 9.8
[CRITICAL] Google fixes eighth Chrome zero-day exploited in attacks in 2025
## Google fixes eighth Chrome zero-day exploited in attacks in 2025
## Sergiu Gatlan
The company has now fixed this high-severity vulnerability for users in the Stable Desktop channel, with new versions rolling out worldwide to Windows (143.0.7499.109), macOS (143.0.7499.110), and Linux users (143.0.7499.109).
While the security patch could take days or weeks to reach all users, according to Google, it was immediately available when BleepingComputer checked for updates earlier today.
If you prefer not to update manually, you can also let your web browser check for updates automatically and install them after the next launch.
Although Google didn't share any other details about this zero-day bug, including the CVE ID used to track it, and said it's still "under coordination."
"Access
Bleepingcomputer
Google fixes new Chrome zero-day flaw exploited in attacks
blogs_bleepingcomputer·2025-11-18·CVSS 9.8
[CRITICAL] Google fixes new Chrome zero-day flaw exploited in attacks
## Google fixes new Chrome zero-day flaw exploited in attacks
## Sergiu Gatlan
Google fixed the zero-day flaw with the release of 142.0.7444.175/.176 for Windows, 142.0.7444.176 for Mac, and 142.0.7444.175 for Linux.
While these new versions are scheduled to roll out to all users in the Stable Desktop channel over the coming weeks, the patch was immediately available when BleepingComputer checked for the latest updates.
Although the Chrome web browser updates automatically when security patches are available, users can also confirm they're running the latest version by going to Chrome menu > Help > About Google Chrome, letting the update finish, and then clicking on the 'Relaunch' button to install it.
Although Google has already confirmed that CVE-2025-13223 was used in attacks, i
Qualys
Patch Automation for Browsers with TruRisk™ Eliminate
blogs_qualys·2025-09-24·CVSS 9.8
CVE-2025-10585 [CRITICAL] Patch Automation for Browsers with TruRisk™ Eliminate
## Table of Contents
Conclusion: Automated Patching is the Smarter Way
Recently, CISA added a Chrome zero-day vulnerability, CVE-2025-10585 , to its Known Exploited Vulnerabilities (KEV) Catalog , confirming that threat actors are actively exploiting this high-severity flaw in real-world attacks.
This vulnerability affects multiple web browsers that utilize the Chromium engine, including Google Chrome, Microsoft Edge, Opera, and Brave.
CISA strongly urges all organizations and individual users to prioritize updating their browsers as part of essential vulnerability management practices.
A patch is available. You can find the vulnerability in Qualys VMDR and eliminate the risk as follows:
Find the vulnerability in VMDR
View Risk Elimination
Create Remediation job
We just launched a
Qualys
Automated Browser Patching with Qualys TruRisk™ Eliminate | Qualys
blogs_qualys·2025-09-24·CVSS 9.8
CVE-2025-10585 [CRITICAL] Automated Browser Patching with Qualys TruRisk™ Eliminate | Qualys
#### Table of Contents
- Conclusion: Automated Patching is the Smarter Way
Recently, CISA added a Chrome zero-day vulnerability, CVE-2025-10585, to its Known Exploited Vulnerabilities (KEV) Catalog, confirming that threat actors are actively exploiting this high-severity flaw in real-world attacks.
This vulnerability affects multiple web browsers that utilize the Chromium engine, including Google Chrome, Microsoft Edge, Opera, and Brave.
CISA strongly urges all organizations and individual users to prioritize updating their browsers as part of essential vulnerability management practices.
A patch is available. You can find the vulnerability in Qualys VMDR and eliminate the risk as follows:
- Find the vulnerability in VMDR
- View Risk Elimination
- Create Remediation job
We just laun
Checkpoint
22nd September – Threat Intelligence Report
blogs_checkpoint·2025-09-22
CVE-2025-10035 22nd September – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 22nd September – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 22nd September, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Several major European airports including Heathrow, Berlin, Brussels, Dublin, and Cork have experienced a cyber-attack, resulting in disruptions to electronic check-in and baggage drop systems using Collins Aerospace’s MUSE software. The incident led to flights delays, cancellations, and diversions, with affected airp
Bleepingcomputer
Google patches sixth Chrome zero-day exploited in attacks this year
blogs_bleepingcomputer·2025-09-18·CVSS 9.8
[CRITICAL] Google patches sixth Chrome zero-day exploited in attacks this year
## Google patches sixth Chrome zero-day exploited in attacks this year
## Sergiu Gatlan
Google has released emergency security updates to patch a Chrome zero-day vulnerability, the sixth one tagged as exploited in attacks since the start of the year.
While it didn't specifically say whether this security flaw is still being actively abused in the wild, the company warned that it has a public exploit, a common indicator of active exploitation.
"Google is aware that an exploit for CVE-2025-10585 exists in the wild," Google warned in a security advisory published on Wednesday.
This high-severity zero-day vulnerability is caused by a type confusion weakness in the web browser's V8 JavaScript engine, reported by Google's Threat Analysis Group on Tuesday.
Google TAG frequently flags zero-d
Qualys
Zero-Day Vulnerability Protection | Detect & Stop Threats | Qualys
blogs_qualys·2025-04-18
Zero-Day Vulnerability Protection | Detect & Stop Threats | Qualys
## Table of Contents
Why Zero-Day Vulnerabilities Demand a New Security Mindset
Understanding Zero-Day Vulnerabilities, Exploits, and Attacks
How Do Zero-Day Attacks Work?
The Zero-Day Lifecycle: From Discovery to Exploitation
Real-World Zero-Day Attacks and Their Impact
Why Zero-Day Vulnerabilities Are So Dangerous
Detecting Zero-Day Vulnerabilities
Challenges in Identifying Zero-Day Vulnerabilities
How Qualys Helps Organizations Manage Zero-Day Risk
Conclusion
Frequently Asked Questions (FAQs)
Executive Summary
Zero-day vulnerabilities pose a significant and growing risk as opportunistic attackers rapidly exploit unknown flaws before fixes are available. These threats can bypass traditional defenses, spread rapidly, and cause widespread disruption across organizations.
To r
Qualys
Zero-Day Vulnerability Protection | Detect & Stop Threats | Qualys
blogs_qualys·2025-04-18
Zero-Day Vulnerability Protection | Detect & Stop Threats | Qualys
#### Table of Contents
- Why Zero-Day Vulnerabilities Demand a New Security Mindset
- Understanding Zero-Day Vulnerabilities, Exploits, and Attacks
- How Do Zero-Day Attacks Work?
- The Zero-Day Lifecycle: From Discovery to Exploitation
- Real-World Zero-Day Attacks and Their Impact
- Why Zero-Day Vulnerabilities Are So Dangerous
- Detecting Zero-Day Vulnerabilities
- Challenges in Identifying Zero-Day Vulnerabilities
- How Qualys Helps Organizations Manage Zero-Day Risk
- Conclusion
- Frequently Asked Questions (FAQs)
Executive Summary
Zero-day vulnerabilities pose a significant and growing risk as opportunistic attackers rapidly exploit unknown flaws before fixes are available. These threats can bypass traditional defenses, spread rapidly, and cause widespread disruption across organi
Recorded Future
September 2025 CVE Landscape
blogs_recorded_future·CVSS 7.2
[HIGH] September 2025 CVE Landscape
# September 2025 CVE Landscape
In September 2025, Recorded Future’s Insikt Group® identified sixteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the eighteen identified in August, with the number of Very Critical vulnerabilities also decreasing (11) month over month.
These vulnerabilities have affected the following vendors: Sudo, Libraesva, Fortra, Cisco, Adminer, Google, Dassault Systèmes, Linux, Android, Sitecore, TP-Link, and Meta Platforms.
September was dominated by flaws in Cisco and TP-Link, which together represented six of the sixteen vulnerabilities. Cisco’s IOS, IOS XE, and Secure Firewall products were affected by flaws, including stack-based and classic buffer overflows (CWE-121, CWE-120) and missing authorization
2025-09-24
Published
2025-09-23
Added to CISA KEV
Exploited in the wild