Google has rolled out a critical Chrome update fixing four major security flaws, including one zero-day vulnerability that is actively being exploited.
Quick Summary – TLDR:
- Google released Chrome version 140.0.7339.185/.186 to patch four high-severity security bugs.
- The most urgent fix addresses CVE-2025-10585, a zero-day flaw in the V8 engine under active exploitation.
- Users are strongly advised to update their browsers manually to ensure immediate protection.
- Other vulnerabilities include memory-related flaws in Dawn, WebRTC, and ANGLE components.
What Happened?
Google has issued a high-priority security update for its Chrome web browser after uncovering four serious vulnerabilities. One of these, a zero-day exploit identified as CVE-2025-10585, is already being used in live attacks, making immediate updates essential for all users. The flaw affects Chrome’s V8 JavaScript and WebAssembly engine and can lead to arbitrary code execution if left unpatched.
📢🎉 NEW CHROME ZERO-DAY JUST DROPPED 🥳
— ThioJoe (@thiojoe) September 18, 2025
** Update chrome to 140.0.7339.185/.186 ** pic.twitter.com/4EbaeIjUtY
Google Addresses Four Major Chrome Vulnerabilities
This update, which bumps Chrome to version 140.0.7339.185/.186 for Windows and macOS and 140.0.7339.185 for Linux, fixes multiple high-risk bugs:
- CVE-2025-10585: A type confusion vulnerability in the V8 engine, discovered by Google’s Threat Analysis Group (TAG). It allows attackers to run malicious code just by luring users to a specially crafted website.
- CVE-2025-10500: A use-after-free issue in the Dawn WebGPU layer, reported by a researcher named Giunash. This bug earned a $15,000 reward from Google’s bug bounty program.
- CVE-2025-10501: Another use-after-free vulnerability, this time in the WebRTC component, flagged by researcher “sherkito,” who received a $10,000 bounty.
- CVE-2025-10502: A heap buffer overflow found in the ANGLE graphics layer, detected by Google’s automated system Big Sleep.
All four vulnerabilities could lead to memory corruption, browser crashes, or remote code execution, making them serious threats to users’ online safety.
Why CVE-2025-10585 Matters So Much?
Type confusion bugs, like CVE-2025-10585, happen when an object is assigned one data type but accessed as another. This can create dangerous conditions for attackers to manipulate memory, bypass Chrome’s sandbox protections, and even take control of a user’s system.
What makes this particularly alarming is that Google has confirmed this vulnerability is already being exploited in the wild. Although the company hasn’t shared details about who is behind the attacks or the scale of abuse, its acknowledgment signals the urgency of applying the fix.
Google is also withholding full technical details of the bug until most users have updated, to avoid aiding further attacks.
A Growing List of Chrome Zero-Days in 2025
This marks the sixth Chrome zero-day vulnerability patched by Google in 2025 alone. Other high-profile flaws this year include:
- CVE-2025-6558: Improper input validation in ANGLE and GPU
- CVE-2025-6554: Type confusion in V8
- CVE-2025-5419: Out-of-bounds access in V8
- CVE-2025-2783: Chrome sandbox bypass
- CVE-2025-4664: Insufficient policy enforcement
Each of these was also confirmed to be exploited in the wild, underscoring a concerning trend of rising browser-based attacks.
How to Update Chrome Immediately?
Although Google has started a gradual rollout, it may take days or weeks to reach all users. To get protected now:
- Open Chrome.
- Go to More > Help > About Google Chrome.
- Chrome will automatically check for updates and install the latest version.
- Click Relaunch to complete the update.
Users of other Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should also watch for similar updates and apply them as soon as they become available.
SQ Magazine Takeaway
As someone who lives online, I can’t stress this enough: update your browser right now. Zero-day flaws like CVE-2025-10585 are dangerous because they do not require users to click anything. Just visiting the wrong webpage can be enough to get infected. It’s rare to see such a clear call to action from Google, so when they say patch it immediately, they mean it. Don’t wait for the automatic update. Be proactive and stay protected.
