On Wednesday, Google rolled out security updates for a Chrome vulnerability actively exploited in the wild. Tracked as CVE-2025-10585, the vulnerability is a type confusion flaw in the V8 JavaScript and WebAssembly engine. Google Threat Analysis Group discovered and reported the vulnerability.
This is the sixth zero-day vulnerability Google has patched since the start of the year. The previous are mentioned below:
Google also addressed three other vulnerabilities with CVE-2025-10585. The others are listed below:
- CVE-2025-10500: A use-after-free flaw in the Dawn. Dawn is Chrome’s implementation of the WebGPU standard.
- CVE-2025-10501: A use-after-free flaw in WebRTC (Web Real-Time Communication). The Technology enables peer-to-peer communication.
- CVE-2025-10502: Heap buffer overflow in ANGLE. ANGLE is the default WebGL backend for Google Chrome on Windows platforms.
Affected Versions
The vulnerability affects Google Chrome versions before 140.0.7339.185.
Mitigation
Customers must upgrade to the latest stable channel version 140.0.7339.185/.186 for Windows/Mac, and 140.0.7339.185 for Linux.
For more information, please refer to the Google Chrome Release Page.
Qualys Detection
Qualys customers can scan their devices with QID 385233 to detect vulnerable assets.
Rapid Response with TruRisk™ Eliminate
Qualys TruRisk™ Eliminate and its Zero-Touch Patching feature provide a seamless, automated process of patching a vulnerability like this.
Zero-Touch Patching identifies the most vulnerable products in your environment and automates the deployment of necessary patches and configuration adjustments. This streamlines the patching process and ensures vulnerabilities are addressed promptly.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html