News

Google patches a Chrome zero-day; the vulnerability is already being exploited in attacks

Google has released updates for Chrome to address four vulnerabilities. According to the company, one of them (CVE-2025-10585) has already been exploited by attackers.

A zero-day vulnerability was discovered in the V8 JavaScript engine and is a type-confusion issue. The problem was identified by Google’s Threat Analysis Group (TAG), which often uncovers zero-day vulnerabilities used by “government” hackers in targeted espionage campaigns.

“Google is aware of an exploit for CVE-2025-10585,” the researchers warn. As a rule, such a warning means that hackers are already exploiting the vulnerability in real-world attacks.

As usual, the company did not provide any additional details about how exactly the vulnerability can be used in attacks, by whom, or at what scale. This is done to prevent other attackers from taking advantage of the bug until most users have installed the patches.

The 0-day has been fixed in Chrome versions 140.0.7339.185/.186 for Windows/Mac and 140.0.7339.185 for Linux, which will be rolled out to users in the coming weeks.

CVE-2025-10585 became the sixth zero-day vulnerability to be fixed in Chrome in 2025 and has already been exploited by attackers.

it? Share: