Google Chrome: Urgent patch for exploited 0day. Critical vulnerabilities fixed.

Redazione RHC : 18 September 2025 10:01

Google has taken immediate security action for Chrome browser users globally, targeting four critical vulnerabilities, one of which, a zero-day vulnerability, is currently being actively exploited. Users are therefore urged to update their browsers urgently to prevent potential cyberattacks.

A type confusion flaw in Chrome’s V8 JavaScript engine represents the most concerning vulnerability in this security update, tracked as CVE-2025-10585. This vulnerability was discovered and reported on September 16, 2025, by Google’s Threat Analysis Group. This vulnerability has already been exploited in real-world attacks, as confirmed by the company, which highlighted how attackers are taking advantage of this flaw.

• [NA][445380761] High CVE-2025-10585: Type Confusion in V8. Reported by Google Threat Analysis Group on 2025-09-16
• [$15000][435875050] High CVE-2025-10500: Use after free in Dawn. Reported by Giunash (Gyujeong Jin) on 2025-08-03
• [$10000][440737137] High CVE-2025-10501: Use after free in WebRTC. Reported by sherkito on 2025-08-23
• [TBD][438038775] High CVE-2025-10502: Heap buffer overflow in ANGLE. Reported by Google Big Sleep on 2025-08-12

This type of attack requires no user interaction, other than loading a web page, making it particularly dangerous for large-scale exploitation campaigns.

The V8 engine vulnerability allows attackers to execute malicious code on victims’ computers simply by tricking users into visiting a compromised website containing specially crafted JavaScript.

Google recently released an update for Chrome that, in addition to fixing an already exploited zero-day vulnerability, addresses three other flaws. high-severity security vulnerabilities that can potentially undermine system stability. One of these vulnerabilities, classified as CVE-2025-10500, is a use-after-free flaw in the Dawn WebGPU implementation, discovered by security researcher Giunash, who has received a $15,000 reward.

The update also addresses a use-after-free flaw in WebRTC components (CVE-2025-10501), reported by researcher “sherkito” for a $10,000 reward, and a heap buffer overflow in the ANGLE graphics layer (CVE-2025-10502), identified by Google’s automated Big Sleep system.

The versions Chrome 140.0.7339.185/.186 for Windows and Mac and 140.0.7339.185 for Linux are now available globally. Users should update their browsers immediately by going to the Chrome settings menu and selecting “About Google Chrome” to enable automatic update checks.

Security experts recommend that organizations prioritize Chrome updates on their networks and consider implementing additional security measures until all systems are adequately protected from these vulnerabilities.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli