NAVANEM
CVE-2025-10585⚡ exploited in the wild

Google Chrome V8, type confusion leading to heap corruption (zero-day)

Type confusion in the V8 JavaScript and WebAssembly engine in Google Chrome prior to 140.0.7339.185 allows a remote attacker to exploit heap corruption via a crafted HTML page. Google's Threat Analysis Group reported the flaw and Google shipped an emergency Stable channel update after confirming an exploit exists in the wild.

Overview

CVE-2025-10585 is a type confusion vulnerability in V8, the JavaScript and WebAssembly engine used by Google Chrome and other Chromium-based browsers. A remote attacker can exploit it via a crafted web page to corrupt the heap and potentially achieve code execution in the renderer. Google's Threat Analysis Group (which tracks government-backed and commercial-spyware activity) reported it, and Google confirmed an exploit exists in the wild - making it the fifth actively-exploited Chrome zero-day of 2025. NVD's primary CVSS 3.1 base is 9.8 (the CISA-ADP secondary score is 8.8, reflecting required user interaction to visit a page).

Technical Details

Type confusion occurs when V8 treats a memory object as a different type than it actually is, letting an attacker read or write outside the intended bounds and corrupt the heap. With a carefully crafted script delivered by a malicious or compromised page, an attacker can build a primitive for arbitrary memory access inside the renderer process. Renderer-level compromise is typically paired with a sandbox-escape bug for full system impact, but a renderer RCE alone already exposes browser data and is highly valuable to spyware vendors.

Impact

  • Drive-by compromise of the browser renderer when a victim visits an attacker-controlled page.
  • Data theft from the browsing session and a strong stepping stone toward sandbox escape.
  • Broad exposure: the same V8 code ships in Edge, Brave, Opera, and other Chromium browsers.
  • Active exploitation by sophisticated actors increases real-world risk.

Mitigation

  1. Update Chrome immediately to 140.0.7339.185/.186 (Windows/macOS) or 140.0.7339.185 (Linux) or later, then relaunch the browser to apply the fix.
  2. Update all Chromium-based browsers (Edge, Brave, Opera, Vivaldi) once their vendors ship the patched V8.
  3. Enable automatic updates and consider Chrome's Enhanced Safe Browsing.
  4. For high-risk users, consider Chrome's site-isolation and reduced-attack-surface settings.

Detection

  • Confirm the running version via chrome://version is at or above the fixed build on every endpoint.
  • Browser exploitation is hard to detect on the host; prioritize fast patch rollout and monitor for unexpected child processes spawned by the browser.
  • CISA added the CVE to the KEV catalog on September 23, 2025.

references

#cve-2025-10585#google#chrome#v8#type-confusion#remote-code-execution#zero-day#cwe-843#actively-exploited#cisa-kev#critical-vulnerability

Related topics

CVE
CVE

Google Chrome V8 Type Confusion (Arbitrary Read/Write Zero-Day)

Jun 30, 2025
CVE
CVE

Citrix NetScaler ADC and Gateway, unauthenticated memory-overflow remote code execution

Aug 26, 2025
CVE
CVE

Fortinet FortiVoice and multiple products, unauthenticated stack-based buffer overflow remote code execution

May 13, 2025
CVE
CVE

Google Chrome Mojo IPC Sandbox Escape (Operation ForumTroll)

Mar 26, 2025
CVE
CVE

Android Framework Integer Overflow (Privilege Escalation Zero-Day)

Jun 1, 2026
CVE
CVE

Microsoft Windows Desktop Window Manager (DWM) Core, type-confusion elevation of privilege

Feb 10, 2026
CVE
CVE

BeyondTrust Remote Support / Privileged Remote Access, pre-authentication OS command injection RCE

Feb 6, 2026
CVE
CVE

Fortinet multiple products, authentication bypass via FortiCloud SSO (alternate-channel)

Jan 27, 2026
CVE
CVE

Fortinet FortiWeb, relative path traversal authentication bypass to admin RCE

Nov 14, 2025
CVE
CVE

F5 BIG-IP APM, unauthenticated remote code execution via crafted access-policy traffic

Oct 15, 2025