CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2025-10585

CVSS 9.8v3.1pub. 2025-09-24upd. 2025-10-30

Type confusion in V8 in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

🤖 AI Analysis
How it works

The type confusion error (CWE-843) occurs when the V8 engine incorrectly interprets the type of an object in memory, treating it as a different type than what was actually allocated. An attacker can exploit this by delivering a specially crafted HTML page to the victim, whose processing by V8 leads to heap corruption. It is sufficient for the user to visit the malicious page — no additional interaction or special privileges are required.

Impact

Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code in the context of the browser process, which could consequently lead to takeover of the victim's system, disclosure of sensitive data, or compromise of system integrity.

Mitigation & patch

Google Chrome must be immediately updated to version 140.0.7339.185 or later. The update is available through the built-in Chrome update mechanism and on the vendor's website (https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html).

Who is affected

Google Chrome in all versions prior to 140.0.7339.185, running on Microsoft Windows, Linux, and Apple macOS systems.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apple macOS

    OS
    Apple
    wszystkie wersje
  • Google Chrome

    APP
    Google
    < 140.0.7339.185
  • Linux Kernel

    OS
    Linux
    wszystkie wersje
  • Microsoft Windows

    OS
    Microsoft
    wszystkie wersje

CISA KEV — detailsi

Vendori
Google
Producti
Chromium V8
Added to KEVi
September 23, 2025
Remediation deadline (US Federal)i
October 14, 2025(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Google Chromium contains a type confusion vulnerability in the V8 JavaScript and WebAssembly engine.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 14 października 2025
CWE
References

Related vulnerabilities

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2025-43300CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple iOS/iPadOS/macOS — out-of-bounds write przy przetwarzaniu obrazu

CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP

CVE-2025-31201CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apple: Obejście Pointer Authentication w iOS, macOS i innych platformach

CVE-2025-31200CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apple — memory corruption (RCE) w przetwarzaniu strumieni audio