Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Critical

Side-channel information leakage in Google Chrome V8

IdentifiersCVE-2025-10890CWE-310

CVE-2025-10890 is a high-severity information disclosure vulnerability in the V8 JavaScript engine used by Google Chrome. According to the provided content, the flaw is a side-channel information leak that affects Chrome versions prior to 140.0.7339.207, with Windows and Mac patched in 140.0.7339.207/.208 and Linux patched in 140.0.7339.207. A remote attacker can exploit the issue by serving a crafted HTML page and inducing a victim to open it in a vulnerable Chrome instance. Successful exploitation allows leakage of sensitive cross-origin data via side-channel techniques. The content does not identify a specific vulnerable function or code path within V8.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote attacker to obtain sensitive information from the victim’s browser context, specifically including cross-origin data leakage as described in the provided content. The primary impact is loss of confidentiality rather than integrity or availability. The issue is rated High severity by Chromium.

Mitigation

If you can’t patch tonight, do this now.

The provided content does not describe a specific workaround for Chrome itself beyond applying the vendor patch. Temporary risk reduction would require limiting exposure to untrusted web content and reducing the ability of users to open attacker-controlled pages until the browser is updated, but the authoritative remediation in the content is to install the fixed version.

Remediation

Patch, then assume compromise.

Update Google Chrome to a fixed release. The provided content states that the issue is fixed in Chrome 140.0.7339.207 for Linux and 140.0.7339.207/.208 for Windows and Mac. More generally, upgrade to version 140.0.7339.207 or later, using the vendor-provided update channel.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
GoogleChromeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

14 SOURCESView more in app
cybersecurity help czNews
Jan 1, 2026
SB20250923100 - Multiple vulnerabilities in Google Chrome

A side-channel information disclosure vulnerability in the V8 component of Google Chrome that can allow a remote attacker to access sensitive information via a specially crafted web page.

Read more
zeropath blogNews
Sep 24, 2025
Chrome V8 Integer Overflow (CVE-2025-10891): Brief Summary and Patch Details - ZeroPath Blog | ZeroPath

A side-channel information leakage vulnerability in Chrome's V8 engine that could allow attackers to infer sensitive information.

Read more
zeropath blogNews
Sep 24, 2025
Google Chrome V8 Integer Overflow (CVE-2025-10892): Brief Summary and Technical Review - ZeroPath Blog | ZeroPath

Referenced as another recent high-severity vulnerability affecting Google Chrome's V8 engine, but no further details are provided in the content.

Read more
chrome releases blogNews
Sep 23, 2025
Chrome Releases: Stable Channel Update for Desktop

A high-severity side-channel information leakage vulnerability in Chrome's V8 engine.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity9

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-10890
NVD
nvd.nist.gov/vuln/detail/CVE-2025-10890
MITRE CWE · CWE-310
cwe.mitre.org
Vendor Advisory
chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_23.html
Issue Tracking
issues.chromium.org/issues/430336833