On Wednesday, Google rolled out security updates for a Chrome vulnerability actively exploited in the wild. Tracked as CVE-2025-10585, the vulnerability is a type confusion flaw in the V8 JavaScript and WebAssembly engine. Google Threat Analysis Group discovered and reported the vulnerability.
CISA acknowledged the vulnerability’s active exploitation by adding it to its Known Exploited Vulnerabilities Catalog and urging users to patch it before October 14, 2025.
This is the sixth zero-day vulnerability Google has patched since the start of the year. The previous are mentioned below:
Google also addressed three other vulnerabilities with CVE-2025-10585. The others are listed below:
- CVE-2025-10500: A use-after-free flaw in the Dawn. Dawn is Chrome’s implementation of the WebGPU standard.
- CVE-2025-10501: A use-after-free flaw in WebRTC (Web Real-Time Communication). The Technology enables peer-to-peer communication.
- CVE-2025-10502: Heap buffer overflow in ANGLE. ANGLE is the default WebGL backend for Google Chrome on Windows platforms.
Qualys Threat Intelligence provided a Qualys Vulnerability Score (QVS) of 95 for the vulnerability. Qualys Vulnerability Score (QVS) is a Qualys-assigned score for a vulnerability based on multiple factors associated with the CVE, such as CVSS and external threat indicators like active exploitation, exploit code maturity, CISA known exploitable, and many more.
Affected Versions
The vulnerability affects Google Chrome versions before 140.0.7339.185.
Mitigation
Customers must upgrade to the latest stable channel version 140.0.7339.185/.186 for Windows/Mac, and 140.0.7339.185 for Linux.
For more information, please refer to the Google Chrome Release Page.
Microsoft has released the Microsoft Edge Stable Channel (Version 140.0.3485.81 to address CVE-2025-10585, which the Chromium team has reported as being exploited in the wild.
Qualys Detection
Qualys customers can scan their devices with QIDs 385233 and 385336 to detect vulnerable assets.
Rapid Response with TruRisk™ Eliminate
Qualys TruRisk™ Eliminate and its Zero-Touch Patching feature provide a seamless, automated process of patching a vulnerability like this.
Zero-Touch Patching identifies the most vulnerable products in your environment and automates the deployment of necessary patches and configuration adjustments. This streamlines the patching process and ensures vulnerabilities are addressed promptly.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html
Hi, will there be a QID published soon for Microsoft Edge Chromium as well? Microsoft just released a patch for this as of this morning, on September 19, 2025.