Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Type Confusion in Google Chrome V8

IdentifiersCVE-2025-10585CWE-843· Access of Resource Using…

CVE-2025-10585 is a high-severity type confusion vulnerability in Google Chrome's V8 JavaScript and WebAssembly engine. According to the provided content, Chrome versions prior to 140.0.7339.185 are affected. A remote attacker can trigger the flaw by convincing a user to visit a crafted HTML page, leading to heap corruption in the browser process. The issue was reported by Google Threat Analysis Group on 2025-09-16, and Google stated that exploitation exists in the wild at the time of disclosure.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause heap corruption in the Chrome browser process and may result in browser crashes or arbitrary code execution. The content also indicates the flaw was exploited as a zero-day in the wild and referenced in targeted espionage activity. As with other V8 memory corruption issues, further impact may depend on chaining with additional vulnerabilities to escape the sandbox or achieve broader system compromise.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting use of untrusted websites and web content, especially high-risk browsing contexts likely to deliver crafted HTML/JavaScript. Use layered browser protections such as sandboxing, browser isolation, and network-based controls where available. However, the content does not describe any vendor-provided workaround, so patching is the primary mitigation.

Remediation

Patch, then assume compromise.

Update Google Chrome to version 140.0.7339.185 or later. The provided content states Google released Chrome Stable updates to 140.0.7339.185/.186 for Windows and Mac and 140.0.7339.185 for Linux to address this issue. Apply the vendor patch as soon as it is available in your channel, and ensure the browser is restarted so the update takes effect.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
GoogleChromeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

177 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

177 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

A Chrome zero-day type confusion vulnerability in the V8 engine reported as exploited in the wild.

Read more
cyberthroneNews
Dec 26, 2025
When Silence Broke Security: Zero-Days in 2025 - TheCyberThrone

Type confusion bug in Chrome V8 described as actively exploited in the wild.

Read more
cyberthroneNews
Dec 23, 2025
Top 25 Most Exploited Vulnerabilities 2025

A type confusion vulnerability in Google Chrome V8 engine, exploited as a zero-day for sandbox escape in espionage campaigns.

Read more
cyber security newsNews
Dec 17, 2025
Chrome Zero-Day Vulnerabilities Exploited in 2025 – A Comprehensive Analysis

A V8 type confusion vulnerability in Chrome, allowing heap corruption and arbitrary code execution via crafted HTML pages. Exploited in the wild.

Read more
+12 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity160

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-10585
NVD
nvd.nist.gov/vuln/detail/CVE-2025-10585
MITRE CWE · CWE-843
Access of Resource Using Incompatible Type…
Vendor Advisory
chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html
Issue Tracking
issues.chromium.org/issues/445380761
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-10585