Google on Wednesday rushed out a Chrome replace that resolves a vulnerability exploited in assaults, the sixth zero-day addressed within the browser this yr.
Tracked as CVE-2025-10585 and reported by Google’s Risk Evaluation Group (TAG) on September 16, the flaw is described as a kind confusion within the V8 JavaScript and WebAssembly engine.
Sort confusion bugs are reminiscence issues of safety that may set off sudden software program conduct, which may result in crashes, distant code execution, and different forms of assaults.
Utilizing crafted HTML pages, risk actors may exploit sort confusion defects in V8 to carry out arbitrary learn/write operations remotely.
“Google is conscious that an exploit for CVE-2025-10585 exists within the wild,” the web big notes in its advisory. No particulars had been launched on the vulnerability or its exploitation.
The truth that it was reported by Google TAG implies {that a} adware vendor may need exploited it. TAG researchers have uncovered quite a few security holes exploited by industrial adware, together with bugs in Chrome.
The most recent browser replace additionally resolves two use-after-free flaws in Daybreak (CVE-2025-10500) and WebRTC (CVE-2025-10501), for which Google handed out rewards of $15,000 and $10,000, respectively.
Moreover, the replace accommodates fixes for a heap buffer overflow within the ANGLE graphics engine (CVE-2025-10502) found by the Massive Sleep AI agent, which Google says can discover security defects that attackers already learn about and plan on exploiting.
The web big has but to reveal the bug bounty quantity to be paid for the ANGLE flaw. No reward will likely be handed out for the exploited vulnerability as a result of it was found internally.
The most recent Chrome iteration is now rolling out as variations 140.0.7339.185/.186 for Home windows and macOS, and as model 140.0.7339.185 for Linux.
