CVE-2025-10585
Published: 24 September 2025
Summary
CVE-2025-10585 is a critical-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 27.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE by requiring timely identification, reporting, and patching of the V8 type confusion vulnerability in Chrome to version 140.0.7339.185 or later.
Enables detection of systems running vulnerable Chrome versions through continuous vulnerability scanning, facilitating targeted remediation.
Implements memory safeguards such as address space layout randomization and data execution prevention to hinder exploitation of heap corruption from the type confusion flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via crafted HTML/JS page loaded in browser enables drive-by compromise and client-side exploitation.
NVD Description
Type confusion in V8 in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2025-10585 is a type confusion vulnerability (CWE-843) in the V8 JavaScript engine within Google Chrome prior to version 140.0.7339.185. It enables a remote attacker to potentially trigger heap corruption by processing a crafted HTML page. Chromium rates the flaw as High severity, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The vulnerability can be exploited by any remote attacker with network access, requiring no privileges or user interaction beyond a victim loading the malicious HTML page in an affected browser. Exploitation leads to heap corruption, potentially allowing arbitrary code execution and high-impact compromise of confidentiality, integrity, and availability.
Google's Chrome Releases blog announces a stable channel update for desktop that patches the issue by upgrading to version 140.0.7339.185 or later. Additional details are available in the Chromium issue tracker at issues.chromium.org/issues/445380761.
The vulnerability appears in CISA's Known Exploited Vulnerabilities Catalog, signaling active real-world exploitation.
Details
- CWE(s)
- KEV Date Added
- 23 September 2025