Google has launched emergency security updates to patch a Chrome zero-day vulnerability, the sixth one tagged as exploited in assaults because the begin of the yr.
Whereas it did not particularly say whether or not this security flaw remains to be being actively abused within the wild, the corporate warned that it has a public exploit, a typical indicator of lively exploitation.
“Google is conscious that an exploit for CVE-2025-10585 exists within the wild,” Google warned in a security advisory printed on Wednesday.
This high-severity zero-day vulnerability is attributable to a sort confusion weak point within the internet browser’s V8 JavaScript engine, reported by Google’s Risk Evaluation Group on Tuesday.
Google TAG regularly flags zero-days exploited by government-sponsored risk actors in focused spy ware campaigns focusing on high-risk people, together with however not restricted to opposition politicians, dissidents, and journalists.
The corporate mitigated the security challenge in the future later with the discharge of 140.0.7339.185/.186 for Home windows/Mac, and 140.0.7339.185 for Linux, variations that may roll out to the Steady Desktop channel over the approaching weeks.
Whereas Chrome robotically updates when new security patches can be found, you’ll be able to pace up the method by going to the Chrome menu > Assist > About Google Chrome, permitting the replace to complete, after which clicking the ‘Relaunch’ button to put in it instantly.
Though Google has already confirmed that CVE-2025-10585 was utilized in assaults, it nonetheless has to share further particulars relating to in-the-wild exploitation.
“Entry to bug particulars and hyperlinks could also be stored restricted till a majority of customers are up to date with a repair,” Google mentioned. “We will even retain restrictions if the bug exists in a 3rd social gathering library that different tasks equally rely upon, however have not but mounted.”
That is the sixth actively exploited Chrome zero-day mounted by Google this yr, with 5 extra patched in March, Might, June, and July.
In July, it addressed one other actively exploited zero-day (CVE-2025-6558) reported by Google TAG researchers, which allowed attackers to flee the browser’s sandbox safety.
Google launched further emergency security updates in Might to handle a Chrome zero-day (CVE-2025-4664) that permit attackers hijack accounts, and stuck an out-of-bounds learn and write weak point (CVE-2025-5419) in Chrome’s V8 JavaScript engine found by Google TAG in June.
In March, it additionally patched a high-severity sandbox escape flaw (CVE-2025-2783) reported by Kaspersky, which was utilized in espionage assaults in opposition to Russian authorities organizations and media retailers.
Final yr, Google patched 10 extra zero-day bugs that had been both demoed throughout Pwn2Own hacking competitions or exploited in assaults.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration tendencies.
