Patch Your Browser! Google Addresses a Newly Exploited Security Flaw in Chrome’s V8 Engine

Google is rolling out updated versions of Chrome to the masses, signaling that attackers are exploiting a newly discovered security hole.

“The Stable channel has been updated to 140.0.7339.185/.186 for Windows/Mac, and 140.0.7339.185 for Linux which will roll out over the coming days/weeks,” reads the announcement.

The mobile versions of Chrome are strengthened with the usual “stability and performance improvements,” plus the latest security fixes where they’re applicable (typically on Android).

‘High-risk’ bugs

The new Chrome addresses four security weaknesses – all rated “high” risk for potential damage if hackers exploit them. One of them, apparently, is being exploited.

CVE-2025-10585, a “type confusion” flaw in Chrome’s V8 JavaScript engine, was discovered by Google’s Threat Analysis Group this Tuesday.

Type confusion in Chrome's V8 is a security vulnerability that has been exploited in the past, allowing remote attackers to execute arbitrary code by tricking users into visiting a malicious website.

The weakness occurs when the V8 engine misinterprets the data it's working with, leading to memory corruption and potential control of the browser.

Attackers create websites with specially crafted JavaScript code that triggers the type confusion vulnerability in V8. Users are then tricked into visiting these malicious sites. Once the type confusion occurs, the attacker can exploit the resulting memory corruption to execute their own malicious code on the user's computer.

‘An exploit exists in the wild’

“Google is aware that an exploit for CVE-2025-10585 exists in the wild,” the advisory warns.

In other words, threat actors have already been exploited it to malicious ends.

Google’s TAG team often uncovers and reports high-profile vulnerabilities typically used in spyware attacks on activists, dissidents, political rivals, human rights advocates, investigative journalists and other high-profile figures. Apple, Google, and WhatsApp-parent company Meta have been fighting the threat for years.

As we regularly warn, even if you’re not a high-risk person, it’s always a good idea to stay up to date with the latest security patches – you never know when you trip a wire and become a target.

As a rule of thumb, avoid clicking on suspicious links in emails or on websites, as they could lead to compromised sites exploiting a vulnerability on your end.

Patch now!

As of today, you want to be on:

·      Chrome 140.0.7339.185/.186 on Windows and Mac

·      Chrome 140.0.7339.185 on Linux

·      Chrome 141.0.7390.26 on iOS

·      Chrome 140.0.7339.155 on Android

Note: Android releases contain the same security fixes as their corresponding Desktop releases, unless otherwise noted. If you use Chrome on your Android phone, be sure to update ASAP when Google warns of a weakness actively exploited by threat actors.

The desktop version of Chrome automatically checks for the latest version every time it relaunches. If you haven’t closed Chrome in a while, you can start the process manually. Visit the three-dotted options menu, choose Settings -> About Chrome, and let the browser fetch the latest version from Google’s servers. When prompted, relaunch Chrome.

On mobile, simply download and install the updated version of Chrome from your official app store.

For peace of mind, run a dedicated security solution on all your personal devices.

You may also want to read:

Your Old iPhone Needs an Update! iOS 16.7.12 Fixes a Critical Security Flaw

WhatsApp Patches Zero-Click Spyware Attack Vector on Android

Jury finds Google misled users on privacy setting, awards netizens $426 million