In mid‑September 2025, Google shipped an emergency update to its Chrome browser that fixes a dangerous use‑after‑free vulnerability in the WebRTC engine. Labeled CVE‑2025‑10501, the flaw earned a high severity rating from the Chromium team. The update, Chrome 140.0.7339.185 for Windows and Linux (140.0.7339.186 for macOS), also bundles fixes for three other critical memory bugs, including a V8 type confusion zero‑day that was actively exploited in the wild.

If you use Microsoft Edge, which relies on the same underlying Chromium code, Microsoft has already rolled the fix into its browser. But you won’t be protected until you install the latest Edge update. Here’s a breakdown of what happened, why it matters, and what you need to do right now.

The Patch: Chrome 140.0.7339.185 Arrived with Four Critical Fixes

On a single day in September, Chrome’s Stable channel jumped to build 140.0.7339.185 (and a macOS‑specific .186). The release notes listed four security patches, all rated high or critical:

  • CVE‑2025‑10501 – Use‑after‑free in WebRTC (high)
  • CVE‑2025‑10585 – Type confusion in V8 (high, actively exploited zero‑day)
  • CVE‑2025‑10500 – Use‑after‑free in Dawn (high)
  • CVE‑2025‑10502 – Heap buffer overflow in ANGLE (high)

CVE‑2025‑10501 is the one sending IT admins into action. WebRTC runs peer‑to‑peer audio, video, and data streams directly in the browser. A use‑after‑free bug in this component means an attacker can craft a web page that confuses the browser into accessing memory that’s already been freed. In the worst case, that memory corruption can be twisted into remote code execution inside the browser’s renderer process—the sandboxed part of Chrome that handles web content.

While Google’s security team did not say whether CVE‑2025‑10501 was exploited in the wild, the company took the rare step of bundling it with a separate zero‑day patch (CVE‑2025‑10585), which has been actively attacked. This accelerated disclosure means the details of the WebRTC bug remain under wraps to give users time to patch before attackers can reverse‑engineer it.

Why WebRTC Flaws Are Dangerous

WebRTC operates behind the scenes on video conferencing sites, browser‑based phone apps, and even some online games. It negotiates complex protocols to send high‑bandwidth media between peers. That negotiation involves parsing untrusted data—a ripe hunting ground for memory safety bugs.

A use‑after‑free (CWE‑416) occurs when code references a memory object after it’s released. Imagine tearing a page out of a notebook and then trying to read the same page number later—you might get nonsense, or if someone slipped in a malicious note, you might follow its instructions. In browser exploits, attackers use “heap grooming” to precisely control what lands in that freed spot, steering the browser toward executing their code.

Because WebRTC can be triggered by simply visiting a website (no user interaction beyond that), the attack surface is large. And since the browser already has network access, a successful compromise can steal cookies, login credentials, or pivot to internal networks.

Edge Users: The Fix Is In, But You Must Update

Microsoft Edge is built on Chromium, so it inherits both Chrome’s features and its security flaws. When Google patches Chromium, Microsoft must “ingest” the fix, test it, and release an updated Edge build. This process typically takes a day or two, but it can vary.

According to Microsoft’s Security Response Center (MSRC), the CVE‑2025‑10501 vulnerability “is in Chromium Open Source Software which is consumed by Microsoft Edge.” The advisory states that “the latest version of Microsoft Edge (Chromium‑based) is no longer vulnerable.” That means Microsoft has already shipped the fix. As of this writing, the current Edge Stable version that includes the Chromium 140 ingestion should be available through the browser’s built‑in updater.

Nevertheless, individual users and enterprises should not assume Edge is updated automatically. The update mechanism may be delayed by group policies, network restrictions, or simply because the browser hasn’t restarted in a while. You must verify the version.

How to check: In Edge, go to edge://settings/help. If the version is at or above the fixed Chromium build (look for a string referencing 140.0.7339.185 or higher), you’re safe. For Chrome, type chrome://settings/help and confirm it’s on 140.0.7339.185 or later (macOS .186).

How to Update Chrome and Edge Now

For Chrome users:
- Open Chrome.
- Click the three‑dot menu (⋮) > Help > About Google Chrome.
- Let the update download and click “Relaunch.”

For Edge users:
- Open Edge.
- Click the three‑dot menu (…) > Settings > About Microsoft Edge.
- Wait for the update check and relaunch if a new version is available.

If your browser reports that it’s up to date but the version number falls short, you may need to manually download the installer from the official websites. Do not use third‑party download sites; always get the browser directly from Google or Microsoft.

For IT Teams: Patching and Monitoring the Fleet

Enterprise administrators should treat CVE‑2025‑10501 with high urgency. Even though the patch is available, propagation across hundreds or thousands of endpoints takes time. Here is a quick‑action checklist:

  1. Inventory versions: Use your endpoint management console (Intune, SCCM, JAMF) to list all devices with Chrome or Edge.
  2. Identify vulnerable builds: Any Chrome instance below 140.0.7339.185 (Win/Linux) or 140.0.7339.186 (macOS) needs an immediate update. For Edge, tag any build that predates the Chromium 140 ingestion (the exact Edge version number will appear in the update history, typically a four‑part number like 140.0.7339.x).
  3. Push updates: Accelerate your standard rollout ring schedule. Focus on internet‑facing systems, kiosks, and workstations used by executives or IT staff first.
  4. Enhance monitoring: Watch for sudden spikes in browser crashes—especially renderer process crashes—across your fleet. These can signal exploit attempts. Configure your SIEM to alert on clusters of crash events within a short time window.
  5. Implement compensating controls (if patching is delayed): If a full update cannot be deployed immediately, enforce site isolation (--site-per-process flag or Edge’s “Enhance security” mode), restrict WebRTC features via Group Policy, and use URL filters to block known risky categories. These measures reduce the attack surface while the patch is being distributed.

Microsoft’s ingestion of Chromium fixes is generally reliable, but it’s a separate channel from Google’s Chrome updates. IT departments should subscribe to the MSRC’s security update feeds and track Edge release notes to confirm when a specific CVE is addressed. The MSRC page for CVE‑2025‑10501 is dated but already indicates active resolution; you can bookmark it and monitor Microsoft’s update history for your Edge build’s release notes to be sure.

The Bigger Picture: Browsers Under Siege

Chrome’s September update mirrors a familiar pattern. In recent years, memory‑safety bugs in high‑profile components like WebRTC, V8, and Skia have become prime targets. The September 2025 bundle—four high‑severity fixes, one zero‑day—reflects an industry where attackers are quick to weaponize browser flaws.

For Edge users, the reliance on Chromium means you’re on the same security train, a few cars back. Microsoft’s engineers are committed to rapid ingestion, but the very existence of a delay window—even one measured in hours—means that Edge users should be extra vigilant. This is not a criticism of Microsoft; it’s the reality of maintaining a downstream browser.

Looking ahead, Google’s decision to limit technical details until after a majority of users have updated is a standard and sensible practice. Expect more details on the WebRTC bug once the patch saturation reaches a safe threshold. In the meantime, threat intelligence feeds may pick up indicators of exploitation attempts. Keep an eye on reports from security firms, but don’t wait for confirmation: assume that a working exploit could appear at any time.

One more thing: Chromium isn’t just Chrome and Edge. Many Electron‑based apps (Slack, Teams, VS Code, Discord) and embedded browser components in line‑of‑business software also rely on Chromium. If you’re responsible for those environments, check whether your software vendors have shipped updates that incorporate the Chromium 140 security fixes. For applications that bundle their own Chromium, the update cycle can be much slower, making those installations a potential weak point.

The bottom line: update Chrome and Edge now. If you manage many devices, track the versions aggressively. A high‑severity WebRTC bug with a potential for remote code execution deserves immediate attention. The patch is here; it’s on all of us to deploy it.