Friday, September 19, 2025
Latest:

Threatshub.org sponsored-Post

The Register

Google pushes emergency patch for Chrome 0-day – check your browser version now

TH Author

Google pushed an emergency patch for a high-severity Chrome flaw, already under active exploitation. So it’s time to make sure you’re running the most recent version of the web browser.

The vuln, tracked as CVE-2025-10585, is a type confusion flaw in the V8 JavaScript and WebAssembly engine. This kind of vulnerability exists when the engine misinterprets a block of memory as one type of object when it’s actually something else, and can lead to system crashes, arbitrary code execution, and when chained with other bugs, potentially a full system compromise via a malicious HTML page.

“Google is aware that an exploit for CVE-2025-10585 exists in the wild,” the Chocolate Factory warned.

Google Threat Analysis Group (TAG) discovered and reported the vulnerability, and, as usual with Google security holes, there’s no additional information about who is abusing this vulnerability and what they are doing with the illicit access.

However, considering the criminal crews that TAG tracks – these include nation-state spies and commercial spyware vendors – it’s likely that this CVE was abused as a zero-day to steal sensitive information and snoop on high-value targets.

To protect against this vulnerability, plus three other high-severity Chrome issues disclosed and fixed on Wednesday, update your browser to versions 140.0.7339.185/.186 for Windows and Apple macOS, and 140.0.7339.185 for Linux. 

Chrome browsers update automatically, but may not do it right away and will require an app restart when they do. To force an immediate update, type chrome://settings/help into your omnibox and, if you are not already on the latest version, your browser will download it and then tell you to relaunch.

Chrome version page

Chrome version page – Click to enlarge

This is the sixth Chrome bug exploited as a zero-day this year – all have since been patched. 

The other five include CVE-2025-2783, a sandbox-breaking bug seemingly used by snoops to target certain folks in Russia, and CVE-2025-4664, which could be exploited by a remote attacker to bypass security policies in Chrome’s Loader, allowing unauthorized code execution or sandbox escape.

There was also CVE-2025-5419, an out-of-bounds read and write vulnerability in the V8 JavaScript engine that could allow a remote attacker to corrupt memory and potentially hijack execution. Attackers could use the exploit to expose sensitive data and/or execute arbitrary code and crash the user’s machine.

Another V8 vulnerability, CVE-2025-6554, also allowed a remote attacker to perform an arbitrary read/write via a specially crafted HTML page.

And finally, CVE-2025-6558, due to insufficient validation of untrusted input in ANGLE and GPU, could allow a remote attacker to escape the sandbox using an HTML page. ®

READ MORE HERE