Chrome 140 Update Patches Sixth Zero-Day of 2025

Chrome 140 Update Patches Sixth Zero-Day of 2025

Briefly

"Tracked as CVE-2025-10585 and reported by Google's Threat Analysis Group (TAG) on September 16, the flaw is described as a type confusion in the V8 JavaScript and WebAssembly engine. Type confusion bugs are memory safety issues that can trigger unexpected software behavior, which could lead to crashes, remote code execution, and other types of attacks. Using crafted HTML pages, threat actors could exploit type confusion defects in V8 to perform arbitrary read/write operations remotely. "Google is aware that an exploit for CVE-2025-10585 exists in the wild," the internet giant notes in its advisory. No details were released on the vulnerability or its exploitation."

"The fact that it was reported by Google TAG implies that a spyware vendor might have exploited it. TAG researchers have uncovered numerous security holes exploited by commercial spyware, including bugs in Chrome. The latest browser update also resolves two use-after-free flaws in Dawn (CVE-2025-10500) and WebRTC (CVE-2025-10501), for which Google handed out rewards of $15,000 and $10,000, respectively."

"Additionally, the update contains fixes for a heap buffer overflow in the ANGLE graphics engine (CVE-2025-10502) discovered by the Big Sleep AI agent, which Google says can find security defects that attackers already know about and plan on exploiting. The internet giant has yet to disclose the bug bounty amount to be paid for the ANGLE flaw. No reward will be handed out for the exploited vulnerability because it was discovered internally. The latest Chrome iteration is now rolling out as versions 140.0.7339.185/.186 for Windows and macOS, and as version 140.0.7339.185 for Linux."