Google Patches Sixth Chrome Zero-Day Exploited in Attacks This Year
Google has taken emergency action to patch a sixth Chrome zero-day vulnerability that has been actively exploited in attacks this year. The latest zero-day, CVE-2025-10585, is a high-severity flaw caused by a type confusion weakness in the web browser's V8 JavaScript engine. This vulnerability was reported by Google's Threat Analysis Group (TAG) on Tuesday, and the company has since released security updates to address the issue.
Google warned that an exploit for CVE-2025-10585 exists in the wild, which is a common indicator of active exploitation. The company did not specify whether this zero-day is still being actively abused by threat actors, but it has a public exploit, which suggests that it may be being used in malicious attacks.
The latest Chrome update, version 140.0.7339.185/.186 for Windows/Mac and 140.0.7339.185 for Linux, was released as an emergency fix to address the zero-day vulnerability. These updates will roll out to the Stable Desktop channel over the coming weeks.
Chrome automatically updates when new security patches are available, but users can speed up the process by going to the Chrome menu > Help > About Google Chrome and clicking the 'Relaunch' button to install the update immediately.
A Busy Year for Chrome Zero-Days
This is the sixth Chrome zero-day that Google has fixed this year, with five more patched in March, May, June, and July. In each case, the company has confirmed that the vulnerability was used in malicious attacks.
Google has already addressed several other high-severity zero-days this year, including a zero-day (CVE-2025-6558) that allowed attackers to escape the browser's sandbox protection, a zero-day (CVE-2025-4664) that let attackers hijack accounts, and a zero-day (CVE-2025-5419) in Chrome's V8 JavaScript engine discovered by Google TAG.
The company has also patched other zero-days this year, including a high-severity sandbox escape flaw (CVE-2025-2783) reported by Kaspersky, which was used in espionage attacks against Russian government organizations and media outlets.
Additional Vulnerabilities Addressed
Last year, Google patched 10 more zero-day bugs that were either demoed during Pwn2Own hacking competitions or exploited in attacks. This year's increased pace of Chrome zero-days is a reminder that the web remains an vulnerable platform for attackers.
In other news, hackers have been exploiting Sitecore zero-day flaws to deploy backdoors, FreePBX servers have been hacked via zero-day, and emergency fixes have been released for these vulnerabilities as well. Android has also received patches for Qualcomm flaws exploited in attacks.
Staying Safe Online
In the face of this increased activity, it's more important than ever to stay safe online. Here are some tips for protecting yourself:
Use a reputable antivirus program and keep your software up-to-date. Never click on suspicious links or download attachments from unknown sources. Use strong, unique passwords for all accounts. Keep your browser and operating system updated with the latest security patches.
By following these simple steps, you can significantly reduce your risk of falling victim to a malicious attack. Stay vigilant and stay safe online!