CVE-2025-10585

CVSS 8.8 HIGHEPSS 5.4%● KEVCWE-843

Vexday Risk Score

71High priority

SSVC decision (CISA)

Act

Exploitation + impact → act immediately

CVSS 8.8EPSS 5.4%KEV simPoC públicaPatch —

Lifecycle

19 Sep 2025Public PoC

23 Sep 2025Active exploitation (CISA KEV)

24 Sep 2025Published on NVD

Recommendation: Patch as soon as possible — active exploitation confirmed.

In short

A flaw in Chrome's V8 engine allows attackers to confuse data types in memory, potentially causing heap corruption through a malicious webpage. This could lead to crashes or unauthorized code execution on your computer.

Technical detail

Type confusion vulnerability in V8 engine permits remote code execution via crafted HTML pages exploiting improper type checking in memory management. Successful exploitation requires user interaction (visiting malicious site) and results in heap corruption with potential arbitrary code execution in browser context.

Summary generated and translated by AI from the official description.

Type confusion in V8 in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Google · Chrome

public PoCs found — 1

githubgithub.com/AdityaBhatt3010/CVE-2025-10585-The-Chrome-V8-Zero-Day★ 13

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html https://issues.chromium.org/issues/445380761 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-10585