New Zero-Day CVE-2025-10585 Exploit in Chrome's V8 Engine

CVE-2025-10585 Chrome zero-day V8 JavaScript engine vulnerability arbitrary code execution browser security update
Edward Zhou
Edward Zhou

CEO & Co-Founder

 
October 23, 2025 3 min read

TL;DR

A critical zero-day vulnerability, CVE-2025-10585, has been found in Chrome's V8 JavaScript engine and is actively exploited. This flaw allows attackers to execute malicious code on user systems by luring them to compromised websites. Google has released an urgent update to patch this and other vulnerabilities. Ensure your Chrome browser and other Chromium-based browsers are updated immediately to prevent potential compromise.

Chrome V8 Zero-Day Vulnerability: CVE-2025-10585

A new zero-day vulnerability, CVE-2025-10585, has been discovered in Google Chrome's V8 JavaScript and WebAssembly engine and is actively being exploited in the wild. This high-severity type confusion flaw allows attackers to execute malicious code on victims' systems by luring them to compromised websites with crafted JavaScript.

Technical Details of CVE-2025-10585

CVE-2025-10585 is a type confusion vulnerability within the V8 JavaScript engine, which can lead to arbitrary code execution. The vulnerability occurs when the V8 engine misinterprets the data it's working with, leading to memory corruption and potential control of the browser. Google's Threat Analysis Group discovered the flaw on September 16, 2025. Technical and exploitation details are being withheld to prevent further abuse before users can apply the patch. Type confusion vulnerabilities have been exploited in the past by creating websites with specially crafted JavaScript code that triggers the vulnerability when users visit these malicious sites.

Impact and Exploitation

Successful exploitation of CVE-2025-10585 allows remote attackers to execute arbitrary code by tricking users into visiting a malicious website. The V8 engine misinterprets data, leading to memory corruption and potential control of the browser. Attackers can create websites with crafted JavaScript to trigger the type confusion, potentially leading to arbitrary code execution on the user's computer. Google's advisory confirms that an exploit for CVE-2025-10585 exists in the wild, marking it as the sixth zero-day in Chrome this year to be actively exploited.

Affected Versions and Updates

The vulnerability affects Google Chrome versions prior to:

  • Chrome 140.0.7339.185/.186 on Windows and macOS
  • Chrome 140.0.7339.185 on Linux

Users are advised to update to the latest versions to mitigate the risk. The update also patches three other high-severity vulnerabilities, including CVE-2025-10500, a use-after-free bug in the Dawn WebGPU implementation. Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, should also install the corresponding security updates as soon as they are released.

Mitigation and Detection Strategies

To mitigate the risks associated with CVE-2025-10585, users should update Chrome to the latest version. Organizations should prioritize patching and apply extra safeguards until all systems are updated. SOC Prime offers detection tools and Sigma rules to identify exploitation attempts.

General detection methods include:

  • Monitoring for unusual outbound connections from Chrome processes.
  • Using Endpoint Detection and Response (EDR) solutions to observe abnormal behaviors.
  • Regularly reviewing system and application logs for error messages related to the V8 engine.

Related Vulnerabilities and Security Practices

This is the sixth actively exploited Chrome zero-day this year. Other recent vulnerabilities include CVE-2025-5419 and CVE-2025-6558. Users should avoid clicking on suspicious links in emails or on websites. Running a dedicated security solution on all devices is also recommended. Staying updated with the latest security patches is crucial, even for those who may not consider themselves high-risk targets.

Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions..

Related Articles

AWS outage

Amazon AWS Outage Reveals Tech Vulnerabilities and Provider Risks

Thousands of apps and websites went down due to an AWS outage. Discover the impact, affected services, and expert insights on cloud dependency. Read more!

By Alan V Gutnov October 22, 2025 2 min read
Read full article
Operation SIMCARTEL

Europol Dismantles SIM Farm Network Behind 49 Million Fake Accounts

Europol's Operation SIMCARTEL disrupted a massive SIM farm network used for phishing & fraud. Learn about the arrests, seizures, and impact on cybercrime. Read more!

By Edward Zhou October 21, 2025 2 min read
Read full article
China cyberattack

China Accuses US of Cyberattacks on National Time Center

China alleges NSA cyberattacks on its National Time Service Center, stealing data and targeting critical timing systems. Learn more about the accusations. Read now!

By Alan V Gutnov October 20, 2025 2 min read
Read full article
Adobe Experience Manager

Critical Adobe AEM Vulnerability Exploited: CISA Warns Users

Critical Adobe Experience Manager Forms vulnerability (CVE-2025-54253) is being exploited. CISA adds to KEV catalog. Upgrade to 6.5.0-0108+ immediately!

By Edward Zhou October 17, 2025 2 min read
Read full article