Why Edge Lists Chromium CVEs in the Security Update Guide

The short answer: Microsoft documents Chromium-assigned CVEs in the Security Update Guide because Microsoft Edge (the Chromium-based Edge) consumes Chromium OSS. MSRC adds those CVE entries to show customers the vendor-of-origin (Chrome/Chromium) information and to indicate whether the current Microsoft Edge build contains the Chromium fix (so the product is no longer vulnerable). To check whether your installation is affected you look up (a) which Chromium/Chrome version contains the fix, and (b) what Chromium base your Microsoft Edge build is running — then compare. MSRC and the Security Update Guide are explicit about this practice.
Below I explain the why in plain language, then give concrete, copy‑and‑paste steps (and command examples) so you can quickly see your browser version and compare it to the fixed Chromium version. I include multiple authoritative references you can use to verify the facts and the mapping workflow.
Why Microsoft includes Chrome/Chromium CVEs in the Security Update Guide (short, plain)

• Edge (the “new” Microsoft Edge) is a Chromium‑based browser: Microsoft takes the Chromium open‑source project, adds Edge features, and ships releases based on a particular Chromium baseline. That means security fixes made upstream in Chromium/Chrome will also affect Edge once Microsoft updates Edge’s Chromium baseline.
• The Security Update Guide supports CVEs assigned by other vendors/industry partners (for example, Chrome). Microsoft documents those CVEs in the Guide so customers know the CVE exists in upstream Chromium, and to record whether Microsoft Edge has ingested the upstream fix (so customers can see the “Edge status” for that CVE). In short: the entry is there to say “this was a Chromium issue; here’s Microsoft’s status for Edge.”

How to check if your browser is vulnerable — the reliable workflow (3 steps)
1) Find the CVE entry and determine the upstream (Chromium/Chrome) fixed version.

• Look up the CVE on Chrome’s release notes (Chrome Releases), NVD/OSV, or the Chromium issue tracker. Chrome release posts typically show the Chrome/Chromium version that contains the fix. Example: Chrome release notes show which Chrome 134 builds fixed several “out‑of‑bounds read in Media” and related CVEs. Use the Chrome Releases blog or NVD/OSV entries for the CVE to obtain the fixed Chromium version.

2) See what version of Microsoft Edge you have, and — critically — what Chromium version Edge is built on.

• On desktop (Windows/macOS/Linux) open Microsoft Edge and go to Settings → Help & feedback → About Microsoft Edge. That page shows your Microsoft Edge version and will also automatically check for updates. Microsoft’s support docs show that process.
• For the Chromium baseline inside Edge, go to edge://version (or edge://system). That page lists both the Microsoft Edge version and the underlying “Chromium” version number; the Chromium number is what you compare to the upstream fixed Chromium version. (Note: the About page sometimes shows the “based on Chromium” text, while edge://version/edge://system displays the exact Chromium build.)

3) Compare them.

• If the Chromium version that fixed the CVE is less than or equal to the Chromium version listed in your edge://version output, your Edge build contains the upstream fix and is not vulnerable to that specific upstream issue (assuming Microsoft didn’t reintroduce anything). If your Edge Chromium baseline is older, you are still vulnerable until you update Edge to a build with a newer Chromium baseline. If you want absolute certainty, check the Edge release notes for the specific Edge build that lists the Chromium version and/or the CVE in “fixed” list. Chrome release notes and Edge release notes are the canonical sources for which builds include which fixes.

Step‑by‑step: exactly what to click/type on each platform
A. Microsoft Edge (desktop: Windows / macOS / Linux)

• GUI method (fastest):
• Open Microsoft Edge.
• Click the three dots (Settings and more) at the top‑right.
• Choose Help and feedback → About Microsoft Edge.
• That page shows your Edge version and will trigger an update check.
• Direct URL method:
• Type edge://settings/help into the address bar and press Enter (same About page).
• To see the Chromium baseline and other internals:
• Type edge://version into the address bar and press Enter. Look for the “Chromium” (or “Based on Chromium”) line — it reports the Chromium major/minor/build numbers you will compare to Chrome’s fixed version numbers. (edge://system shows additional build details).
• Command line (Windows/macOS/Linux):
• Windows (PowerShell/CMD): "msedge --version" — prints something like Microsoft Edge 134.0.xxxx.yyy; note this normally prints the Edge version, not the Chromium baseline. For the Chromium baseline prefer edge://version.
• Linux: "microsoft-edge --version" or "msedge --version". (Behaviour can differ by package/distribution.)

B. Google Chrome (desktop)

• GUI:
• Open Chrome.
• Click the three dots → Help → About Google Chrome. Chrome will display its version and check for updates.
• Direct URL:
• chrome://settings/help or chrome://version to see Chrome’s detailed build numbers (including the V8/Chromium revision info).
• Command line:
• macOS / Linux: "google-chrome --version" or "chromium --version" (depending on package).
• Windows: "chrome.exe --version" (from a command prompt in the Chrome installation folder).

C. Mobile (Edge on Android / iOS)

• Edge app: Settings (tap three dot menu) → Settings → About Microsoft Edge (or “About” near the bottom). The About screen shows the app version. Edge mobile doesn’t expose edge://version but the About page shows version and will indicate if it’s up to date.

Interpreting the numbers: matching Chromium vs. Edge

• Example (illustration): If Chrome release notes or NVD say “CVE‑2025‑1919 fixed in Chromium / Chrome 134.0.6998.35”, and your edge://version shows “Chromium 134.0.6998.44” or any chromium 134.x where x ≥ 6998.35 (the build for that fix), then Edge contains that Chrome/Chromium fix and you are not vulnerable to that upstream bug (again, assuming Microsoft didn’t reintroduce a regression). Chrome’s release posts commonly list the Chrome build that fixed a CVE; Edge release notes list what Chromium baseline each Edge release used — compare those numbers. See Chrome’s release blog for examples.

If the CVE page in the Security Update Guide is terse or hard to parse

• MSRC/Security Update Guide often lists these Chrome/Chromium CVEs as “Third‑party” or with an “Assigning CNA = Chrome” note and explains that Edge ingests Chromium; the entry is there primarily to show the status for Edge. Use the Security Update Guide CVE page to find Microsoft’s “Customer action required” guidance for Edge. The MSRC blog explains the approach the Guide uses for industry‑assigned CVEs.

A worked example (conceptual)

• You see CVE-2025-1919 (Out‑of‑bounds read in Media) in the Security Update Guide. You open the CVE entry (or NVD/OSV). It says Chrome fixed it in Chrome/Chromium 134.0.6998.35.
• You open edge://version on your Edge installation and see “Chromium 134.0.6998.44” (or some Chromium 134.x where the build is >= 6998.35). That means your Edge build contains the upstream fix. If instead your Edge’s Chromium baseline is 133.x, you need to update Edge.

Practical notes, gotchas and enterprise situations

• Automatic updates: Chrome and Edge normally auto‑update in the background, but enterprise management, Group Policy, or package managers can block/lag updates. If your organization manages browsers, contact IT. Microsoft’s Edge About page may show disabled update toggles if the browser is managed.
• Version mapping nuance: Microsoft sometimes lists the Edge “version” (for example, Edge 134.xyz) and separately the Chromium baseline. Always compare the upstream Chromium version/build to the chromium line in edge://version (don’t compare only the human Edge major number).
• CVSS / severity differences: an OSS CVE’s severity (as documented for Chromium) can differ from Microsoft’s product scoring for the same issue as it manifests in Edge. That’s why MSRC sometimes assigns a Microsoft‑specific score or provides product‑specific guidance. The Security Update Guide supports CVEs assigned by industry partners to make this transparent.

If you find your Edge is vulnerable (what to do)

• Update Edge to the latest stable release: Settings → About Microsoft Edge (edge://settings/help) and allow it to download and restart. Microsoft documents how About triggers update checks.
• If the Edge build available from your organization is still older and cannot be upgraded immediately, consider:
• Enabling Edge’s “Enhanced security” protections (or other mitigation toggles documented by Microsoft) if available.
• Blocking risky sites and scripts by policy or extension, or disabling the media component in scenarios where the attack vector is known to use crafted media (this is highly situational and not always practical).
• Work with IT to prioritize a safe rollout of the fixed Edge build.
• For servers or packaged Chromium builds (not Edge) follow vendor/OS vendor guidance (Debian/Ubuntu/Fedora etc.) — they publish advisories mapping CVE → package versions.

References and authoritative places to check (quick list)

• Why Microsoft lists third‑party CVEs in the Security Update Guide — MSRC blog: “Security Update Guide supports CVEs assigned by industry partners.”
• How to find which Chrome/Chromium release fixed a CVE — Chrome Releases blog (example: March 4, 2025 chrome 134 release which lists fixes). Use chromereleases.googleblog.com for upstream fixed versions.
• How to see Microsoft Edge version / About page — Microsoft Support: Find out which version of Microsoft Edge you have.
• How to check Chromium baseline inside Edge (edge://version / edge://system) — community documentation and how‑to articles that show edge://version contains the Chromium build details.
• NVD / OSV for CVE details and fixed versions — NVD and OSV often show the Chrome/Chromium text describing “fixed in Chrome X.Y.Z”. Use NVD/OSV if you prefer a normalized CVE listing.

Quick checklist you can copy and use right now

• To check Edge version & chromium baseline: open Edge → address bar → type edge://version → note the “Microsoft Edge” version and the “Chromium” version. Compare the Chromium version to the “fixed in” Chromium version listed in Chrome Releases or the CVE entry (NVD/OSV).
• To update Edge immediately: open Edge → Settings and more → Help and feedback → About Microsoft Edge → let it download and restart.
• To check Chrome: open Chrome → Help → About Google Chrome or chrome://version.

If you want, I can:

• Look up the specific Security Update Guide CVE entry you linked (CVE‑2025‑11211) and extract the “Affected products / Microsoft status” text and any Edge fixed‑version notice (I’ll pull the Security Update Guide page and/or Edge release notes, then show you the exact Chromium/Edge build numbers to compare). I’ll need your confirmation to go fetch and quote those pages.
• Or, if you prefer, paste the output of edge://version from your machine here (just the few lines with Microsoft Edge and Chromium versions) and I’ll tell you immediately whether that build is new enough to contain the Chromium fix for the CVE number you care about (once I look up the CVE → Chromium fixed version).

Which would you like me to do next? I can fetch the MSRC/Security Update Guide CVE page and Chrome release notes for the specific CVE you cited (CVE‑2025‑11211) and report the exact versions to check — or I can walk you through the steps while you check edge://version and paste the result.

---

Source: MSRC Security Update Guide - Microsoft Security Response Center