Type Confusion Vulnerability in Google Chrome
CVE-2025-10585

9.8CRITICAL

Key Information:

Vendor

Google
Status
Chrome
Vendor
CVE Published:
24 September 2025

Badges

🥇 Trended No. 1📈 Trended📈 Score: 12,000👾 Exploit Exists🟡 Public PoC🦅 CISA Reported📰 News Worthy

What is CVE-2025-10585?

CVE-2025-10585 is a type confusion vulnerability found in the V8 JavaScript engine of Google Chrome, specifically in versions prior to 140.0.7339.185. This software component is critical for executing JavaScript and rendering HTML content in the browser, a fundamental duty that impacts web browsing capabilities. The flaw stems from how V8 handles object types, causing it to mistakenly interpret an object of one type as another. This mismanagement can potentially lead to heap corruption, allowing a remote attacker to craft a malicious HTML page that, when interacted with, can destabilize the browser or allow for unauthorized access to system resources. Such an exploit can severely disrupt an organization’s web operations, expose sensitive data, or lead to compromised systems.

Potential impact of CVE-2025-10585

  1. Remote Code Execution: The vulnerability can enable attackers to execute arbitrary code on the user's machine through malicious HTML content, which can lead to a full system compromise.

  2. Data Breaches: By exploiting this vulnerability, attackers could potentially access and exfiltrate sensitive information stored within the browser or on the system, jeopardizing organizational confidentiality and compliance.

  3. Service Disruption: An exploit could lead to crashes or severe performance degradation of the browser, affecting organizational productivity by disrupting web-based applications and services critical to business operations.

CISA has reported CVE-2025-10585

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-10585 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Chrome 140.0.7339.185

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-10585-The-Chrome-V8-Zero-Day
Created by AdityaBhatt3010

News Articles

favicon imageThe Hacker News

Google Patches Chrome Zero-Day CVE-2025-10585 as Active V8 Exploit Threatens Millions

Google releases critical Chrome update patching zero-day CVE-2025-10585, discovered Sept 16, to block active V8 JavaScript engine exploits worldwide.

References

https://chromereleases.googleblog.com/2025/09/stable-chan...
https://issues.chromium.org/issues/445380761

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🥇

    Vulnerability reached the number 1 worldwide trending spot

  • 📈

    Vulnerability started trending

  • Vulnerability published

  • 🦅

    CISA Reported

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by The Hacker News

  • Vulnerability Reserved

JSON
.
CVE-2025-10585 : Type Confusion Vulnerability in Google Chrome