Google patches exploited Chrome zero-day, three other flaws

Google patched four high-severity Chrome browser vulnerabilities, including a zero-day flaw that has been exploited in the wild, according to an advisory published Wednesday.

The exploited flaw, tracked as CVE-2025-10585, is described as a type confusion bug in Google’s V8 JavaScript and WebAssembly engine. The open-source V8 engine enables Chrome browser to efficiently parse, compile and run JavaScript and WebAssembly code.

Type confusion occurs when a program expects data of a certain type but retrieves data of a different type, leading to errors when attempting to handle the data. These errors could cause unexpected behavior such as memory corruption and leaks, or even arbitrary code execution.

A previous type confusion error in V8 affecting Chrome, discovered in 2023 and tracked as CVE-2023-3079, allowed remote attackers to exploit heap corruption errors through malicious crafted HTML page, and was exploited in the wild, being added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog shortly after its discovery.

Further details about CVE-2025-10585, which was discovered by Google’s Threat Analysis Group (TAG) on Sept. 16, 2025, were not made available by Google, with the company typically restricting bug details until a majority of users have received a fix.

The other vulnerabilities disclosed Wednesday include two use after free flaws and one heap buffer overflow flaw, the latter of which was discovered by Google’s Big Sleep AI agent in August. This heap buffer overflow flaw in Google’s Almost Native Graphics Layer Engine (ANGLE) is tracked as CVE-2025-10502.

A user after free vulnerability in the Dawn WebGPU implementation, tracked as CVE-2025-10500, was discovered by researcher Gyujeong Jin, earning a $15,000 bug bounty, while a user after free in WebRTC tracked as CVE-2025-10501 earned a $10,000 bounty for researcher sherkito.

Fixes for all four high-severity flaws were included in Chrome Stable channel version 140.0.7339.185/.186 for Windows/Mac, and 140.0.7339.185 for Linux.