A critical side-channel vulnerability has been discovered in the V8 JavaScript engine used by Google Chrome and other Chromium-based browsers. This flaw allows a remote attacker to bypass fundamental web security controls and steal sensitive data from other websites a user has open, simply by tricking them into visiting a specially crafted webpage. Successful exploitation could lead to the compromise of confidential user information, session credentials, and other private data.

This vulnerability is a side-channel information leakage flaw within the V8 JavaScript engine. An attacker can exploit this by creating a malicious HTML page containing specific JavaScript code. When a victim browses to this page, the script executes complex operations and precisely measures the time they take to complete. By analyzing these minute timing variations in CPU cache or other shared hardware resources, the attacker can infer data being processed in other origins (i.e., other browser tabs or iframes), thereby bypassing the Same-Origin Policy which is designed to prevent such interactions.

This vulnerability is rated as critical with a CVSS score of 9.1, posing a significant risk to the organization. A successful exploit could allow an attacker to steal sensitive information from other websites or internal web applications open in a user's browser, including session cookies, authentication tokens, and personally identifiable information (PII). The potential consequences include unauthorized account access, session hijacking, financial fraud, reputational damage, and regulatory penalties associated with data breaches.

Immediate Action: Prioritize the deployment of updates for all Chromium-based browsers across the environment. All instances of Google Chrome should be updated to version 140.0.7339.207 or later. Continue to monitor for exploitation attempts by reviewing endpoint and network security logs for anomalous browser behavior.

Proactive Monitoring: Implement enhanced monitoring of endpoint and network traffic. Look for unusual browser process behavior in EDR logs, such as high CPU utilization spikes inconsistent with normal browsing. Monitor web proxy and DNS logs for connections to suspicious or recently registered domains that may be hosting malicious exploit code.

Compensating Controls: If immediate patching is not feasible, consider implementing the following controls:

• Ensure browser security features like Site Isolation are enabled and enforced via policy, as this can add a layer of defense against cross-origin attacks.
• Deploy web filtering solutions to block access to known malicious or uncategorized websites.
• Educate users on the risks of navigating to untrusted websites and clicking on suspicious links delivered via email or other channels.

Public Exploit Available: False

Given the critical CVSS score of 9.1, this vulnerability requires immediate attention and remediation. Although CVE-2025-10890 is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its potential for widespread impact is severe. We strongly recommend that the organization prioritizes the patching of all affected browsers to the recommended versions. This action is the most effective way to mitigate the risk of cross-origin data theft and protect sensitive corporate and user information.