CISA adds Chrome zero-day CVE-2025-10585 to KEV after public exploit appears

CISA this week added CVE-2025-10585, a high-severity type-confusion flaw in Google’s V8 JavaScript engine, to its Known Exploited Vulnerabilities catalog after evidence of active exploitation was observed.

Google disclosed the issue in an emergency advisory and shipped an out-of-cycle Stable update (Chrome 140.0.7339.185/.186 for desktop) to mitigate the flaw. As Google warned, “Google is aware that an exploit for CVE-2025-10585 exists in the wild.”

CVE-2025-10585 is a type-confusion vulnerability in V8. In practice, type-confusion bugs make the JavaScript engine treat one kind of object or value as another; that mismatch can be abused to read or write memory in unexpected ways, and in the browser context it’s frequently a stepping stone to arbitrary code execution in the renderer process.

Two reasons make this urgent:

1. Google confirmed a public exploit exists, a strong signal attackers are actively weaponizing the bug, and
2. V8 runs user-supplied JavaScript from web pages and extensions — so an attacker can trigger exploitation with a crafted web page or malicious ad. The advisory reiterates that Google TAG often flags zero-days used in targeted surveillance campaigns against high-risk individuals, increasing the stakes for enterprises and high-value targets.

All users of desktop Chrome (Windows/Mac/Linux) on older versions are exposed until updates are applied. The Chrome emergency release noted above will roll out to Stable over the coming days; organizations that centrally manage browser updates should prioritize deploying the patched builds immediately. Federal Civilian Executive Branch (FCEB) agencies were given a remediation deadline of October 14, 2025.

Related Posts:

• Google Chrome Patches Three High-Severity Flaws in V8 Engine
• Chrome Update Alert: Two High-Severity Flaws Patched – Update Now to Stay Safe!
• CISA Adds 12 New Known Actively Exploited Vulnerabilities to its Catalog

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.