Urgent Security Update for Google Chrome: CVE-2025-10585
Google has issued an immediate alert concerning a critical vulnerability affecting its Chrome browser, labeled CVE-2025-10585. This security flaw, leveraging the V8 JavaScript engine within Chromium, poses a significant risk as it is currently being exploited in real-world attacks. In response, Google has rolled out an emergency update for all desktop versions of Chrome, which users must prioritize to maintain their security.
Understanding CVE-2025-10585
The Nature of the Vulnerability
CVE-2025-10585 is categorized as a Type Confusion issue. It allows malicious actors to mislead the browser regarding the types of objects being handled. This misclassification can lead to severe consequences, including arbitrary code execution, browser crashes, or even a full system compromise.
This vulnerability carries a "High" severity rating, prompting Google to withhold specific technical details to prevent exploitation. The Threat Analysis Group (TAG) of Google reported the issue on September 16, 2025, and within just two days, a fix was made available, highlighting the urgency of the situation.
How to Update Chrome
Update Installation Process
The security update is designed to roll out automatically. Users should restart their browsers as soon as the update is detected. Note that while regular tabs will reopen after the restart, incognito sessions will not be restored.
To ensure the update has been successfully installed, users can navigate to the following URL within their browser: chrome://settings/help. If the version number displayed is 140.0.7339.185 or higher, users can be confident that the fix for CVE-2025-10585 is in place.
Version Numbers for Different Operating Systems
- Windows and macOS: Update to version 140.0.7339.185 or .186
- Linux: Update to version 140.0.7339.185
Additional Vulnerabilities Addressed
In addition to CVE-2025-10585, this emergency update addresses three other vulnerabilities of high severity:
- CVE-2025-10500: A use-after-free issue in Dawn, reported by researcher Gyujeong Jin, who received a reward of $15,000.
- CVE-2025-10501: Another use-after-free vulnerability, this time in WebRTC, discovered by researcher “sherkito,” rewarded $10,000.
- CVE-2025-10502: A heap buffer overflow in ANGLE, reported by the Google Big Sleep team.
While these vulnerabilities are critical, only CVE-2025-10585 is known to be actively exploited at the moment.
Broader Impact on Chromium-Based Browsers
Given that Google Chrome and Microsoft Edge share a common Chromium base, users of both browsers should be prepared for subsequent security updates. While Microsoft has not released an official statement yet, it is expected that they will issue patches soon, given the serious nature of the vulnerability.
Google has stressed the importance of withholding certain technical details until a majority of users have installed the update. This practice aims to limit the potential for further exploitation by malicious actors. As Google mentions, “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”
Importance of Updating
As cyber threats become increasingly sophisticated, timely updates are crucial for maintaining browser security. Google emphasizes that this is not part of a standard patch cycle; rather, it serves as an urgent call for users to update their browsers to guard against ongoing attacks.
All users are strongly encouraged to ensure that their browsers are up to date. Delaying updates may leave your system vulnerable to potential exploitation. With the emergency update already being rolled out, a simple restart could be the key to your security.
Staying informed and proactive about browser security not only protects individual users but also contributes to a safer internet experience for everyone.
