Microsoft’s Security Response Center has published an advisory for a low-severity Chromium flaw that could trick users into trusting a malicious site in Microsoft Edge’s Split View. The notice, issued on January 14, 2026, confirms that Edge Stable version 144.x now carries the upstream fix that landed in Chrome 144 the day before. For users and IT teams, the message is simple: if your Edge install is still on version 143 or earlier, update now.
The Bug: When the Browser UI Tells a Lie
CVE-2026-0907 is categorized as an “incorrect security UI in Split View.” That label describes a glitch in how the browser’s address bar, lock icon, or credential prompts behave when web content is displayed side-by-side — a mode often used in Edge’s side panel, developer tools, or multitasking panes.
Unlike a memory corruption flaw that hands remote code execution to an attacker, this bug is about deception. An attacker could exploit the inconsistency to make one pane appear more trusted than it is. A user might see a legitimate-looking padlock or origin label for a phishing page, believing they are on a safe site. “Incorrect security UI” covers a range of potential misrepresentations: a missing “Not secure” warning, a fake lock icon, or dialog boxes that appear to originate from a different origin.
Microsoft and Google both rate the vulnerability as low severity. That’s accurate for the direct technical risk — no code runs, no memory is overwritten. But in a world where phishing remains the most common attack vector, a subtle UI lie can still cause real damage. As first reported by Microsoft’s advisory, the bug is now fully resolved in Edge after the browser ingested the latest Chromium security updates.
Why the Fix Shows Up in Microsoft’s Advisory
The CVE was originally assigned upstream in the Chromium open-source project, which powers both Chrome and Edge. When Chromium releases a security fix, downstream browsers must pull that change into their own codebase, test it, and ship a vendor-specific update. Microsoft’s Security Update Guide acts as the official record for when an Edge build incorporates those fixes.
The advisory states clearly: “The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.” That language isn’t about blame — it’s about operational clarity. For an enterprise that must prove a patch was applied, the Guide is a source of truth.
For a mixed fleet running both Chrome and Edge (or other Chromium-based browsers), this single record lets admins coordinate updates across vendors. It also answers the common question: “If the bug is in Chromium, why do I see a Microsoft advisory?” Because every downstream vendor must independently state when their product is fixed.
Timeline: From Chrome 144 to Edge 144.x
The fix for CVE-2026-0907 rolled out in Chrome 144, which hit the Stable channel on January 13, 2026. Desktop builds for Windows and macOS shipped as version 144.0.7559.59/.60 (minor platform packaging differences account for the variant). Edge’s equivalent ingestion followed the next day, on January 14, when Microsoft released a Stable channel update to version 144.x — the first Edge build to include the Chromium 144 security payload.
Before that, Edge Stable sat at version 143.0.3650.139, published earlier in January. That build did not contain the Split View UI fix. If your environment still has Edge 143 (or any 14x build prior to the January 14 release), you remain exposed to the bug.
| Browser | Build containing fix | Release date |
|---|---|---|
| Google Chrome | 144.0.7559.59/60 (Stable) | January 13, 2026 |
| Microsoft Edge | 144.x (Stable) | January 14, 2026 |
Table: Builds that resolve CVE-2026-0907. Edge version numbers include a four-part string (e.g., 144.0.3124.50); confirm using edge://version.
What This Means for You
For home users and small businesses
If you let your browser auto-update, you’re very likely already patched. But it’s worth a manual check: a quick trip to edge://settings/help or chrome://settings/help forces an update check and displays your current version. Restart the browser if an update was just applied. The risk of active exploitation is low, but phishing campaigns often move fast once a technique is public. Don’t give them an old, unpatched browser to exploit.
For IT administrators and help desks
This CVE should appear on your patch radar even though it’s low severity. Why? Because it affects a UI trust mechanism — and phishing is still your users’ top threat. In large fleets, you can verify coverage by scripting a version inventory. The PowerShell snippet below reads the Edge executable’s file version:
(Get-Item "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe").VersionInfo.ProductVersion
If the output begins with “144.” and was obtained on or after January 14, 2026, you’re good. For Chrome, use chrome --version or read the file version from C:\Program Files\Google\Chrome\Application\chrome.exe.
Remote inventory tools (SCCM, Intune, or custom WMI queries) can collect this data at scale. Match the results against the “fixed in” builds in the table above, and schedule updates for any outliers.
For developers and embedded runtime owners
Electron apps, kiosk systems, and other tools that embed Chromium often lag behind browser updates. The Split View bug could exist in those runtimes if they embed a vulnerable Chromium version. Check with your application vendor for a patched build and include embedded Chromium instances in your regular CVE scans. This is a common blind spot.
How We Got Here: Chromium CVEs and the Browser Supply Chain
The cross-vendor patching dance is nothing new, but it trips up newcomers every cycle. Chromium is updated roughly every four weeks, with security fixes landing first in Chrome Stable. Downstream browsers — Edge, Brave, Opera, Vivaldi — then pull those changes on their own schedule. Microsoft publishes periodic “Chromium security updates” in its Edge release notes, often accompanied by a list of CVEs addressed. The Security Update Guide formalizes that for compliance teams.
CVE-2026-0907 is one of several such bugs Microsoft has documented in recent cycles. By marking it in the Guide, Microsoft gives administrators a definitive reference: “Edge build 144.x is the line in the sand.”
What to Do Now: A Three-Step Checklist
1. Check your version
Open Edge and navigate to edge://version. The first line shows the full version string. Compare against the fixed build; version 144 or later is the target.
2. Update if needed
- Edge:
edge://settings/helptriggers an update check. If a newer version downloads, restart the browser. - Chrome:
chrome://settings/helpdoes the same. - For managed fleets, push the latest stable build via your software distribution tool (Windows Update for Business, SCCM, Intune).
3. Verify and document
After patching, re-run your inventory scripts to confirm the build number. For audit or compliance records, capture the Microsoft advisory URL and the Edge release notes entry that mentions Chromium security updates. The Security Update Guide entry for CVE-2026-0907 is the authoritative statement that Edge is no longer vulnerable.
If you can’t patch immediately
For systems that must stay on an older build temporarily, apply compensating controls:
- Use web filtering to block high-risk categories.
- Restrict sensitive user sessions to a managed browser or known-good sites.
- Monitor endpoint detection tools for unusual credential prompts or unexpected redirects.
Outlook: The Constant Drumbeat of Chromium Fixes
CVE-2026-0907 won’t be the last Chromium UI bug to surface. Microsoft’s integration of Chromium CVEs into its advisory process is now standard practice, and it’s a model that other downstream vendors are likely to follow — or at least that enterprise customers should demand. The next major Chromium release will almost certainly bring a fresh batch of low- and medium-severity issues, and administrators who have automated version-checking pipelines will handle them in minutes, not days.
For users, the takeaway is straightforward: browser updates aren’t just about speed improvements or new features. They quietly close security doors even when the severity label doesn’t scream “critical.” In a phishing-dominated threat landscape, a browser that can’t reliably show you who you’re talking to is a browser you shouldn’t be running.