CVE-2025-10585 Vulnerability: A New Zero-Day Exploit in Chrome’s V8 JavaScript and WebAssembly Engine Weaponized in Real-World Attacks
Following the discovery of CVE-2025-7775, a critical RCE vulnerability in Citrix NetScaler already under active exploitation, another zero-day flaw has now emerged in the cyber threat arena, which is actively leveraged in real-world attacks. The issue tracked as CVE-2025-10585 is a high-severity type confusion vulnerability in Chrome’s V8 JavaScript and WebAssembly engine that lets adversaries run malicious code on victims’ systems by luring them to a compromised site with crafted JavaScript.
There’s an overall increase in exploited zero-days and a shrinking window for exploitation, making timely updates crucial. Throughout 2025, there have already been six publicly documented incidents where Google Chrome zero-day vulnerabilities were actively exploited in the wild, including CVE-2025-5419 and CVE-2025-6558. The newly discovered Chrome zero-day puts millions of organizations at risk as it is already being actively weaponized.
Sign up for SOC Prime Platform to elevate your defenses at scale with top cybersecurity expertise and AI. SOC Prime Platform curates a comprehensive detection stack to timely identify and address vulnerability exploitation attempts filtered by the corresponding “CVE” tag. Click Explore Detections to obtain relevant Sigma rules to help your team reduce the risks of CVE exploitation when every second counts.
All detections are enriched with AI-native threat intelligence for an in-depth threat context and are mapped to MITRE ATT&CK®. The detection algorithms can also be converted to multiple SIEM, EDR, and Data Lake technologies in an automated fashion to streamline your detection engineering tasks.
Security teams can also take advantage of Uncoder AI to perform detection engineering end-to-end—convert raw threat intel from reports into custom IOC queries, visualize Attack Flows, enable ATT&CK tags prediction, apply AI-driven query optimization, and translate detection code across diverse language formats.
CVE-2025-10585 Analysis
Google has recently released security updates for the Chrome browser to address four vulnerabilities, including one actively exploited zero-day identified as CVE-2025-10585, a type confusion flaw in Chrome’s V8 JavaScript and WebAssembly engine. Such vulnerabilities can be weaponized to cause unexpected behavior, including arbitrary code execution and crashes, simply by getting users to load a malicious webpage, which makes them highly dangerous for large-scale exploitation campaigns.
Google researchers discovered and reported CVE-2025-10585 on September 16, 2025. The vendor has withheld technical and exploitation details to prevent threat actors from abusing the flaw before users have time to apply the patch.
Alongside this actively exploited bug, the update also patches three other high-severity vulnerabilities that could lead to system compromise. One of them, CVE-2025-10500, is a use-after-free bug in the Dawn WebGPU implementation.
The vendor has confirmed that an exploit for CVE-2025-10585 is being weaponized in in-the-wild attacks. The emergence of this threat marks the sixth zero-day in Chrome this year to be either actively exploited or shown in a PoC attack.
As potential CVE-2025-10585 mitigation measures to reduce the risks of exploitation attempts, Chrome users are advised to update to version 140.0.7339.185/.186 on Windows and macOS, or 140.0.7339.185 on Linux. Users of other Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, are also urged to install the corresponding security updates as soon as they’re released. To stay protected, users can manually check for updates, and organizations are urged to prioritize patching and apply extra safeguards until all systems are updated.
As zero-day flaws in Google Chrome and other popular software grow in number and exploitation attempts surge, organizations must stay vigilant about their security posture. SOC Prime equips security teams with a complete product suite for enterprise-ready defense backed by AI, automation, actionable CTI, and built on zero-trust security principles to help organizations outscale cyber threats.
