What is Google Chrome's V8 Engine?
Google Chrome is the world's most widely deployed browser, running on billions of devices across Windows, macOS, Linux, Android, and iOS. V8 is Chrome's open-source JavaScript and WebAssembly engine — the component that compiles and executes JavaScript code within web pages. Because V8 processes untrusted attacker-controlled content by design (every web page runs JavaScript), vulnerabilities in V8 are particularly critical: a single crafted page can exploit a bug and escape the browser sandbox.
Chrome's TurboFan is V8's optimizing JIT compiler. It transforms frequently-executed JavaScript into highly optimized native machine code by making type assumptions about variables. When those assumptions are wrong — a condition called type confusion — the resulting machine code can be weaponized to read and write arbitrary memory.
Overview
CVE-2025-10585 is a type confusion vulnerability (CWE-843) in Chrome's V8 TurboFan JIT compiler. It was exploited as a zero-day in the wild before Google released a patch, making it the sixth Chrome zero-day of 2025. Google Threat Analysis Group (TAG) discovered the vulnerability and reported it on September 16, 2025; a fix shipped in Chrome 140.0.7339.185 the following day.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Google Chrome (Windows/macOS) | < 140.0.7339.185 | 140.0.7339.185 / .186 |
| Google Chrome (Linux) | < 140.0.7339.185 | 140.0.7339.185 |
| Chromium-based browsers | Varies by V8 version | Update per vendor |
Technical Details
The root cause lies in TurboFan's helper function ZeroExtendsWord32ToWord64NoPhis, which incorrectly assumed that all 32-bit overflow-checked binary operations zero-extend their results to 64 bits. This assumption is valid for most operations but is false for 32-bit multiplication on ARM64. TurboFan propagates this incorrect type annotation through the compilation pipeline, generating machine code that treats a narrower value as a wider one.
An attacker exploits this by crafting JavaScript that uses Proxy objects and custom getter functions to manipulate TurboFan's type inference during JIT compilation. The resulting type confusion creates heap corruption, from which attackers establish arbitrary read/write primitives. The typical final stage uses a WebAssembly RWX (read-write-execute) memory region to inject and execute shellcode. A complete exploit chain additionally requires a sandbox escape to achieve code execution outside the browser process.
Key characteristics:
- No user interaction required beyond visiting a malicious page
- JIT compiler bugs are difficult to patch completely — Chrome had six V8/renderer zero-days in 2025
- ARM64 specifically affected due to the multiplication zero-extension assumption
Discovery
Google Threat Analysis Group (TAG) — Google's internal team that tracks government-backed attackers and advanced persistent threats. TAG's involvement strongly suggests a nation-state actor was using this zero-day before disclosure, though Google withheld specific threat actor attribution at release time.
Exploitation Context
CVE-2025-10585 was actively exploited in the wild before the patch shipped. Google confirmed exploitation at the time of the Chrome 140.0.7339.185 release on September 17, 2025 — six days before CISA added it to the KEV catalog. This is the sixth Chrome zero-day of 2025, following CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, CVE-2025-6554, and CVE-2025-6558 — a higher pace of confirmed zero-day exploitation than recent prior years.
No specific threat actor or campaign has been publicly named. The Chrome release blog noted "Google is aware of reports that an exploit for CVE-2025-10585 exists in the wild."
Remediation
- Update Chrome immediately to version 140.0.7339.185 or later. Navigate to Chrome menu → Help → About Google Chrome to trigger an automatic update and confirm the version.
- Apply updates to all Chromium-based browsers — Edge, Brave, Opera, Vivaldi, and other derivatives all use V8 and need vendor-specific updates after a V8 fix.
- Verify enterprise update policies — ensure managed devices apply browser updates within your patch window; the CISA KEV deadline was October 14, 2025.
- Monitor browser versions across your environment using endpoint management tooling — V8 zero-days can be silently exploited through phishing links or compromised ad networks without any user download.
- Enable Enhanced Safe Browsing in Chrome settings for real-time protection against known malicious pages while patches are being deployed.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-10585 |
| Vendor / Product | Google — Chromium V8 |
| NVD Published | 2025-09-24 |
| NVD Last Modified | 2025-10-30 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-843 find similar ↗ |
| CISA KEV Added | 2025-09-23 |
| CISA KEV Deadline | 2025-10-14 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-09-16 | Reported to Google by Google Threat Analysis Group (TAG) |
| 2025-09-17 | Chrome 140.0.7339.185/.186 released with fix; zero-day exploitation confirmed |
| 2025-09-23 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2025-09-24 | CVE published to NVD |
| 2025-10-14 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Chrome Stable Channel Update — September 17, 2025 | Vendor Advisory |
| NVD — CVE-2025-10585 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Google Patches Chrome Zero-Day CVE-2025-10585 | News |
| Deep Dive into Chrome's V8 Zero-Day Technical Analysis | Security Research |