Google has issued an urgent security alert for all users of its Chrome browser, confirming that an active exploit targeting a critical vulnerability, CVE-2025-10585, is currently being used in real-world attacks. The flaw resides in Chromium’s V8 JavaScript engine and has prompted Google to release an emergency update for all desktop versions of Chrome.
The vulnerability, classified as a Type Confusion issue, was discovered by Google’s own Threat Analysis Group (TAG) and reported on September 16, 2025. Just 48 hours later, the company pushed out a fix, underlining the severity of the issue.
According to the official Chrome Releases blog, users should update to version 140.0.7339.185 or .186 on Windows and macOS, and to 140.0.7339.185 on Linux.
What Is CVE-2025-10585?
CVE-2025-10585 affects the V8 engine, Chromium’s JavaScript and WebAssembly engine used across multiple browsers. The Type Confusion flaw can allow attackers to mislead the browser about object types, potentially resulting in arbitrary code execution, browser crashes, or full system compromise in severe cases.
The vulnerability has been awarded a “High” severity rating, and because it is actively being exploited, Google has opted to withhold specific technical details. In their own words:
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix.”
Update Rollout and Installation
The security update is part of a broader rollout and should be installed automatically. Users are encouraged to restart their browsers promptly after receiving the update. Note that regular tabs will be restored after the restart, but incognito sessions will be lost.
To verify that the update has been applied, users can navigate to chrome://settings/help in their browser. If the version displayed is 140.0.7339.185 or higher, the fix for CVE-2025-10585 is in place.
Other Vulnerabilities Patched
In addition to CVE-2025-10585, the emergency update addresses three other high-severity vulnerabilities:
- CVE-2025-10500: A use-after-free issue in Dawn, reported by Gyujeong Jin (rewarded $15,000).
- CVE-2025-10501: Another use-after-free vulnerability, this time in WebRTC, discovered by researcher “sherkito” (rewarded $10,000).
- CVE-2025-10502: A heap buffer overflow in ANGLE, reported by the Google Big Sleep team.
While these vulnerabilities are serious, only CVE-2025-10585 is known to be exploited in the wild at this time.
Impact Across Chromium-Based Browsers
Because both Google Chrome and Microsoft Edge share the Chromium base, users of Edge and other Chromium-derived browsers should also anticipate security patches in the near future. Microsoft has not yet issued an official advisory, but is expected to follow suit given the shared codebase.
Google emphasized that the full disclosure of technical details will be deferred to prevent aiding malicious actors, especially since the vulnerability could exist in third-party libraries used by other projects.
“We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed,” Google noted.
The company thanked external researchers and highlighted the internal tools used to catch vulnerabilities early, such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, and Control Flow Integrity.
All users are strongly advised to ensure their browsers are up to date. This is not a routine patch cycle; Google has confirmed real-world attacks are underway, and a delay in updating could leave systems exposed. For Chrome users, the emergency update is rolling out now. A simple restart could make the difference between staying secure and being compromised.
