Actively exploited vulnerability in Chromeβs JavaScript engine puts millions at risk
Google has released an emergency security update for Chrome, patching several high-severity vulnerabilities β including a zero-day flaw already being exploited in the wild. Security experts are urging users to update their browsers immediately.
π What Happened?
On September 16, 2025, Google confirmed that attackers were exploiting a flaw in Chromeβs V8 JavaScript engine. Identified as CVE-2025-10585, the vulnerability could allow attackers to execute arbitrary code by luring users to malicious websites.
In simple terms, visiting a compromised webpage could be enough to let hackers gain control of your system.
Google also patched additional issues affecting:
- ANGLE (graphics layer)
- WebRTC (real-time communications)
- Media components
π Why It Matters
- Chrome powers over 3.5 billion devices worldwide, making it one of the most targeted applications.
- This is the fifth Chrome zero-day patched in 2025.
- Attackers often weaponize such exploits quickly, using them in drive-by download attacks and malicious ads.
π¬ Expert Opinions
Dr. Laura Chen, Senior Security Researcher at SafeNet Labs:
βBrowser zero-days are among the most dangerous because they require no user interaction beyond visiting a webpage. The attack surface is enormous.β
Rajiv Menon, CISO at a fintech startup:
βThe frequency of Chrome zero-days shows attackers are aggressively targeting browser engines. Delaying updates can be catastrophic.β
π How to Stay Safe
Google is rolling out the fixed version of Chrome:
- Windows/Mac/Linux: Version 129.0.6668.70
- Android/iOS: Update via Play Store or App Store
Steps to update manually:
- Open Chrome.
- Go to Settings > Help > About Google Chrome.
- Chrome will check for updates and restart.
π¨ The Bigger Picture
Zero-day attacks against browsers are no longer rare β they are the new normal. As attackers exploit web technologies used by billions daily, timely patching and layered defenses are critical for both businesses and individuals.
π Full Advisory on CVE-2025-10585 (Chrome Zero-Day)
- This zero-day is a type confusion vulnerability in the V8 JavaScript (and WebAssembly) engine of Chrome. Chrome Releases+3TechRadar+3The Hacker News+3
- It was discovered by Googleβs Threat Analysis Group (TAG) on September 16, 2025. The Hacker News+2Chrome Releases+2
- It is being actively exploited in the wild β Google confirms that exploits for CVE-2025-10585 exist already. The Hacker News+2Chrome Releases+2
π οΈ What Versions Are Affected & Patched
- Chrome versions before 140.0.7339.185/.186 for Windows and macOS are vulnerable. TechRadar+2Help Net Security+2
- For Linux, version 140.0.7339.185 and earlier are affected. TechRadar+2Help Net Security+2
- The patched (fixed) versions are:
- Windows / macOS β 140.0.7339.185 / 140.0.7339.186 TechRadar+2Chrome Releases+2
- Linux β 140.0.7339.185 TechRadar+2Chrome Releases+2
β οΈ Additional Issues Fixed Alongside
Along with CVE-2025-10585, Googleβs update also fixes several other high-severity bugs:
- CVE-2025-10500: Use-after-free in Dawn TechRadar+1
- CVE-2025-10501: Use-after-free in WebRTC TechRadar+1
- CVE-2025-10502: Heap buffer overflow in ANGLE TechRadar+1
β Advice from Google & What Users Should Do
- Users should update Chrome immediately to the versions above. Chrome Releases+1
- If auto-updates are off, go to Chrome menu β Help β About Google Chrome β let it update and restart. Help Net Security+1
- Users of Chromium-based browsers (like Edge, Brave, Opera) should watch for their vendors to push similar fixes. The Hacker News+1
- Detail disclosure is restricted for now to prevent malicious actors from exploiting unpatched versions.
π Full advisory: Google Chrome Releases Security Update (CVE-2025-10585)
