Google Chrome: Urgent patch for exploited 0day. Critical vulnerabilities fixed.

Google has taken immediate security action for Chrome browser users globally, targeting four critical vulnerabilities, one of which, a zero-day vulnerability, is currently being actively exploited. Users are therefore urged to update their browsers urgently to prevent potential cyberattacks.

A type confusion flaw in Chrome’s V8 JavaScript engine represents the most concerning vulnerability in this security update, tracked as CVE-2025-10585. This vulnerability was discovered and reported on September 16, 2025, by Google’s Threat Analysis Group. This vulnerability has already been exploited in real-world attacks, as confirmed by the company, which highlighted how attackers are taking advantage of this flaw.

• [NA][445380761] High CVE-2025-10585: Type Confusion in V8. Reported by Google Threat Analysis Group on 2025-09-16
• [$15000][435875050] High CVE-2025-10500: Use after free in Dawn. Reported by Giunash (Gyujeong Jin) on 2025-08-03
• [$10000][440737137] High CVE-2025-10501: Use after free in WebRTC. Reported by sherkito on 2025-08-23
• [TBD][438038775] High CVE-2025-10502: Heap buffer overflow in ANGLE. Reported by Google Big Sleep on 2025-08-12

This type of attack requires no user interaction, other than loading a web page, making it particularly dangerous for large-scale exploitation campaigns.

The V8 engine vulnerability allows attackers to execute malicious code on victims’ computers simply by tricking users into visiting a compromised website containing specially crafted JavaScript.

Google recently released an update for Chrome that, in addition to fixing an already exploited zero-day vulnerability, addresses three other flaws. high-severity security vulnerabilities that can potentially undermine system stability. One of these vulnerabilities, classified as CVE-2025-10500, is a use-after-free flaw in the Dawn WebGPU implementation, discovered by security researcher Giunash, who has received a $15,000 reward.

The update also addresses a use-after-free flaw in WebRTC components (CVE-2025-10501), reported by researcher “sherkito” for a $10,000 reward, and a heap buffer overflow in the ANGLE graphics layer (CVE-2025-10502), identified by Google’s automated Big Sleep system.

The versions Chrome 140.0.7339.185/.186 for Windows and Mac and 140.0.7339.185 for Linux are now available globally. Users should update their browsers immediately by going to the Chrome settings menu and selecting “About Google Chrome” to enable automatic update checks.

Security experts recommend that organizations prioritize Chrome updates on their networks and consider implementing additional security measures until all systems are adequately protected from these vulnerabilities.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Massimiliano Brolli

Responsible for the RED Team of a large Telecommunications company and 4G/5G cyber security labs. He has held managerial positions ranging from ICT Risk Management to software engineering to teaching in university master's programs.

Areas of Expertise: Bug Hunting, Red Team, Cyber Intelligence & Threat Analysis, Disclosure, Cyber Warfare and Geopolitics, Ethical Hacking