Google Patches 0-Day in Chrome Browser, Already Exploited in Attacks

Google has released updates for its Chrome browser addressing four security vulnerabilities, including one zero-day (CVE-2025-10585) that has already been exploited in active attacks.

The Vulnerability

The flaw, discovered in Chrome’s V8 JavaScript engine, is a type confusion bug. It was identified by specialists from Google’s Threat Analysis Group (TAG), which regularly uncovers zero-day vulnerabilities exploited by state-sponsored hackers in targeted espionage operations.

“Google is aware of an exploit for CVE-2025-10585,” the company noted. Such language typically signals that attackers are already using the bug in real-world campaigns.

Limited Details Released

In line with standard practice, Google did not disclose details on how the vulnerability is being exploited, who is behind the attacks, or the scope of the campaigns. This policy is intended to prevent other malicious actors from weaponizing the flaw before users apply the updates.

Patch Availability

The issue has been fixed in Chrome versions 140.0.7339.185/.186 for Windows and Mac, and 140.0.7339.185 for Linux. The updates are currently rolling out and are expected to reach all users in the coming weeks.

Sixth Zero-Day in 2025

CVE-2025-10585 marks the sixth zero-day vulnerability patched in Chrome this year that was already being exploited by hackers.