CVE-2025-10890: How Edge Chrome patch status and version checks work

Title: Why CVE‑2025‑10890 (V8 side‑channel) shows up in Microsoft's Security Update Guide — what it means for Chrome, Edge, and how to check your browser versions
Lede

• On September 24, 2025 Google/Chromium published remediation for CVE‑2025‑10890, a “high” severity side‑channel information leakage in the V8 JavaScript engine. Because Microsoft Edge (the Chromium‑based version) consumes Chromium open‑source updates, Microsoft documents Chromium CVEs in its Security Update Guide so administrators and users can see whether their Edge build already contains the upstream fix and is therefore no longer vulnerable.

Why you’re seeing a Chromium CVE in Microsoft’s Security Update Guide — plain explanation

• Chromium is an open‑source project that produces the browser engine and core code (Blink, V8, etc.) used by Google Chrome and by other browsers that are “Chromium‑based,” including Microsoft Edge. When Google or the Chromium project discovers and fixes a security bug in Chromium, the fix goes into Chromium/Chrome release builds first. Because Edge depends on the Chromium codebase, Microsoft ingests those security fixes into Edge builds and releases Edge updates that “incorporate the latest security updates of the Chromium project.” Microsoft records this ingestion and the resulting Edge builds (and the CVEs they address) in the Security Update Guide so customers know which product builds include the upstream fixes. This is why you will see Chromium CVEs listed in Microsoft’s catalog even though the original codebase is not Microsoft’s.

Short version: Microsoft is telling you “we’ve ingested the Chromium fix into Edge” so you can confirm your Edge install is protected.
What CVE‑2025‑10890 is (technical summary)

• The public vendor descriptions characterize CVE‑2025‑10890 as a side‑channel information‑leak in V8 that could be abused by a remote attacker delivering a specially‑crafted page to exfiltrate cross‑origin data. In plain terms: a malicious webpage could use nuances of how V8 behaves to observe tiny timing/behavioral differences and infer sensitive data that should not be exposed across origins. Chromium classified the issue as “High.”

Was it actively exploited in the wild?

• As of the public advisories published on and around September 24, 2025, CVE‑2025‑10890 has been reported and fixed; public sources that track the vulnerability do not indicate that this specific CVE was being actively exploited in the wild at the time of publication (contrast with other, separate V8 bugs around the same period that were explicitly described as exploited). That said, side‑channel and V8 flaws have real risk profiles — a well‑crafted exploit could be serious — so the recommended response is to update promptly.

Which builds contain the fix (Chromium / Chrome)

• Google/Chromium fixed CVE‑2025‑10890 in the Chrome 140 stable update family. The patched Chrome builds are in the 140.0.7339.207+ range (Chrome 140.0.7339.207 was released to distribute fixes that included this V8 side‑channel patch). If your Chrome desktop build is older than 140.0.7339.207 it is in the “vulnerable” range described by the Chromium advisory; versions at or above 140.0.7339.207 contain the fix.

Why Microsoft published it in the Security Update Guide (official intent)

• Microsoft’s release notes and security update pages explicitly state they “incorporate the latest Security Updates of the Chromium project,” and they call out when a Microsoft Edge release contains fixes for Chromium CVEs. Publishing those CVEs in the Security Update Guide gives Microsoft customers a single place to confirm whether an Edge build contains the upstream Chromium patch, and it supports enterprise patch‑management and compliance workflows. In short: it’s a tracking/communications and remediation status function for Edge customers.

How to check whether your browser is vulnerable — exact, practical steps
Below are the quickest, most reliable ways to check version information on the common Chromium browsers. Use the version number to compare to the remediation version (Chrome 140.0.7339.207 or Edge build that “ingests” that Chromium patch).
1) Google Chrome (desktop: Windows / macOS / Linux)

• In Chrome’s address bar, enter chrome://version and press Enter. The first line is your full version string (for example: 140.0.7339.205). This is the most direct way and it does not trigger an update check.
• Alternately: Menu (three dots) → Help → About Google Chrome (this will show the version and Chrome will automatically check for updates; relaunch to apply any downloaded update). If the version shown is lower than 140.0.7339.207, the browser is in the vulnerable range.

2) Microsoft Edge (Chromium‑based)

• In Edge’s address bar, enter edge://version (or edge://settings/help). Both pages show the full Edge build string and the underlying Chromium version. Menu → Help and feedback → About Microsoft Edge will also check for updates and show your current version. Edge’s Settings → About page will explicitly tell you whether Edge is up to date. If your Edge build predates the Edge release that incorporated Chromium 140.0.7339.207 corrections, you should update Edge.

Exactly what to look for in the version string

• Chrome: compare the full version string. The Chromium advisory lists “prior to 140.0.7339.207” as vulnerable; so 140.0.7339.206 and older are vulnerable, 140.0.7339.207 and newer are patched.
• Edge: Microsoft releases Edge with its own Edge‑version number and a Chromium‑backend number. Microsoft documents which Edge builds “incorporate the latest security updates of the Chromium project” in its release notes. Look for an Edge Stable channel build that corresponds to the September 2025 ingestion of Chromium 140 fixes (for example, Microsoft’s September 19–23, 2025 security release cycle included Edge 140.x releases that ingest Chromium 140 security patches). If the About page shows a recent 140.x Edge (the precise build is listed on the About page and Microsoft’s release notes list the Edge build numbers), it means Microsoft has ingested the Chromium fixes.

How to update (end‑user and enterprise)

• End users: About page in Chrome/Edge will normally download updates and offer a restart to apply them. For Chrome: Menu → Help → About Google Chrome → Relaunch. For Edge: Menu → Help and feedback → About Microsoft Edge → Restart (if an update was downloaded). On managed devices this might be blocked by policy.
• Enterprises:
• Microsoft Edge: distribute Edge security updates by Microsoft Update, Windows Update for Business, WSUS, MECM (SCCM), Intune, or via the Edge ADMX/Intune policy mechanisms. Microsoft documents security release notes for Edge and the Security Update Guide entries for specific CVEs; administrators should plan a rapid deployment for any Edge builds that include high‑severity Chromium fixes.
• Chrome in enterprise: use Google Update for enterprise, Chrome Browser Cloud Management, or your organization’s software distribution tooling to push the Chrome 140.0.7339.207+ update. Google and security vendors recommend immediate patching for high‑severity V8 issues.

What “ingested by Edge” actually means for enterprises

• Microsoft does not blindly re‑brand Chromium CVEs — it tests and bundles Chromium fixes into a Microsoft Edge update. The Edge security release notes and the Security Update Guide entries explicitly show which CVEs were fixed in which Edge build. That lets admins map the affected Chromium version to the Edge build they run and then schedule deployment. In practice you check the Edge About page against Microsoft’s Edge security release notes (Microsoft Learn release notes, and the Security Update Guide) to confirm the fix is present.

Risk assessment and recommended urgency

• Because CVE‑2025‑10890 is a V8 side‑channel (high severity) vulnerability, the priority is high for patching in general. However, public reporting did not show this specific CVE as widely exploited in the wild at initial publication (other contemporaneous V8 CVEs were noted as exploited). That reduces—but does not eliminate—immediate emergency risk. Standard best practice: patch quickly, monitor EDR/NGAV telemetry for suspicious web‑based behaviors, and apply enterprise mitigations while you roll out the update.

Short, practical checklist (for desktop users)

• Open Chrome: type chrome://version. If your version < 140.0.7339.207 → update Chrome.
• Open Edge: type edge://version (or edge://settings/help). If your Edge build predates Microsoft’s September 19–23 2025 Edge security releases for Chromium 140 → update Edge.
• If you are managed by an organization, contact your IT/Security team and confirm that the organization’s update channel (Windows Update for Business / WSUS / Intune / SCCM) has a scheduled Edge/Chrome update deployment.

Mitigations and additional protections you can use while you update

• Apply the browser update first — that’s the primary mitigation. For additional short‑term risk reduction:
• Block or restrict JavaScript on untrusted sites (use content‑blocking extensions or Edge/Chrome site permissions). This can be disruptive but reduces attack surface for web‑delivered V8 exploits.
• For enterprise users, consider using Application Guard / browser isolation at least until updates are deployed — it isolates untrusted browsing sessions in a container. Note: Microsoft Defender Application Guard for Edge is a capability that can help isolate untrusted sites; review Microsoft’s documentation and note recent deprecation/roadmap messages for App Guard in some enterprise contexts.
• Ensure endpoint detection and response (EDR) tooling has up‑to‑date signatures and monitoring for web‑based exploit traffic; apply web filters to block known malicious URLs.

On detection: what to look for in logs

• There are no universal “I saw CVE‑2025‑10890 in the log” events — the exploit is web‑delivered. Look for:
• Unusual outbound requests to domains hosting suspicious HTML/JS payloads.
• Browser crashes or renderer process crashes that line up with user visits of untrusted sites (V8 bugs often cause crashes during exploitation).
• Any EDR or network detection alerts that reference “suspicious JavaScript behaviour,” fuzzing results, or unexpected child process activity spawned by the browser. If you have a SOC, forward relevant telemetry for enrichment and look for IOC patterns.

FAQ — short answers to common follow‑ups

• Q: “If Chrome fixed it, is Edge still vulnerable?” A: Only if your Edge build is older than the Edge release that ingested the Chromium fix. Microsoft’s release notes show which Edge builds include Chromium security updates; validate with the About page in Edge.
• Q: “Can I see the Chromium commit or bug?” A: Chromium issue URLs and the Chrome Releases blog are the canonical public places for the bug/commit details; when Google/Chromium restricts technical details they will still list the CVE and the patched builds, and sometimes keep exploit details restricted until a majority of users update.
• Q: “Do I need to update other Chromium browsers (Brave, Opera, Vivaldi)?” A: Yes — other Chromium‑based browsers ship their own builds and must also update to versions that include the Chromium 140.0.7339.207 fixes. Vendors typically publish their own advisories.

Sources I used to verify facts (high‑quality, independent references)

• Google/Chromium release notes and Chrome release posts that list the patched Chrome 140 builds and security summary.
• Chromium/third‑party vulnerability trackers (NVD / CVE aggregators / OSV / CVE Details) summarizing CVE‑2025‑10890 and the affected versions.
• Microsoft Edge security release notes and the Microsoft Learn pages that explicitly say Edge builds “incorporate the latest Security Updates of the Chromium project” and list Edge build numbers for the September 2025 updates. Microsoft documents why Chromium CVEs are recorded for Edge in the Security Update Guide and provides build mappings.
• Microsoft support pages describing how to check Edge version and update behavior (About → About Microsoft Edge / edge://settings/help).

Final recommendation — what to do now

• Immediately check the version of the browser(s) you or your organization uses (Chrome: chrome://version; Edge: edge://version or About Microsoft Edge). If the version is older than the patched release (Chrome < 140.0.7339.207 or Edge older than the September 2025 Edge builds that ingest Chromium 140 fixes), update now.
• For enterprises: confirm your update pipeline has the Microsoft Edge update that ingested Chromium 140 security fixes, schedule a phased but rapid deployment, and monitor detection tooling during the rollout.
• If you can’t update immediately: apply temporary mitigations (site isolation / block untrusted JavaScript / browser isolation) and increase monitoring for suspicious web activity.

If you’d like, I can:

• Give you the exact commands/PowerShell or Intune/WSUS steps your IT team can run to query Edge or Chrome versions across a fleet and report which endpoints are below the safe version.
• Produce a short email/notice you can send to end users that explains how to check their browser and update (copy/paste‑ready).
• Look up whether a specific vendor (Brave, Opera, Vivaldi) has published an advisory and which version contains the Chromium 140 fix.

Which of those would be most useful right now?

---

Source: MSRC Security Update Guide - Microsoft Security Response Center