Emergency Chrome Stable Patch (140.0.7339.185/.186) fixes an actively‑exploited V8 zero‑day

Key update

Google pushed an emergency Stable update (Chrome 140.0.7339.185/.186) on Sep 17–18, 2025 that fixes four high‑severity vulnerabilities—most critically CVE‑2025‑10585, a type‑confusion bug in the V8 JavaScript/WebAssembly engine that is being actively exploited in the wild. The release also addresses a heap buffer overflow in ANGLE and use‑after‑free bugs in WebRTC and Dawn (WebGPU). (theregister.com)

Why it matters

This is not a routine browser bump: an active exploit against V8 means merely visiting crafted content can lead to arbitrary code execution. Practical developer impact:

• Immediately update developer machines and CI workers that run GUI or headless Chromium (local browsers, Playwright/Puppeteer runners, Lighthouse/axe scans).
• Rebuild and roll CI images that include Chromium/Chrome (Docker images used for E2E tests, browserless containers, or any automated screenshot/test runners) so pipelines don’t execute tests with vulnerable binaries.
• If your stack embeds Chromium or V8 (headless services, certain test harnesses, or third‑party components), verify vendor updates and apply them; don’t assume Node is affected unless its V8 version matches the patched range. Doing these reduces risk to developer workstations, CI secrets, and automated infrastructure that routinely loads web content.

Source

• Source