Skip to main content

Microsoft Edge CVE-2026-45492

| EUVDEUVD-2026-30786 MEDIUM
Improper Input Validation (CWE-20)
2026-05-18 microsoft GHSA-c6cv-85fc-cwmv
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 18, 2026 - 18:37 vuln.today

DescriptionCVE.org

Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

AnalysisAI

Security feature bypass in Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70 enables remote attackers to circumvent browser security controls through improper input validation (CWE-20), resulting in limited confidentiality and integrity compromise. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms exploitation is network-based, requires no attacker privileges, but demands user interaction - consistent with a browser-based attack requiring a victim to engage with malicious content. No public exploit code or CISA KEV listing has been identified at time of analysis.

Technical ContextAI

The vulnerability is rooted in CWE-20 (Improper Input Validation), a class of flaws where attacker-supplied input is not adequately sanitized or validated before use, enabling security boundary circumvention. The affected product is Microsoft Edge in its Chromium-based variant, covering all releases from 1.0.0.0 up to but not including 148.0.3967.70 per CPE cpe:2.3:a:microsoft:microsoft_edge_(chromium-based):*:*:*:*:*:*:*:* and EUVD-2026-30786. The 'Google' tag suggests the underlying flaw may originate in the shared Chromium codebase rather than a Microsoft-specific layer, though this is inferred rather than confirmed. The bypass is scoped to a single user (S:U), limiting lateral impact within the browser.

RemediationAI

Vendor-released patch: Microsoft Edge 148.0.3967.70. Organizations and individual users should update to Edge 148.0.3967.70 or later immediately via Microsoft Update, the Edge built-in update mechanism, or enterprise deployment tools. The authoritative advisory and patch guidance is published at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45492. If immediate upgrade is not operationally feasible, defenders can reduce exposure by restricting users from visiting untrusted websites in Edge, enforcing web content filtering to block unknown or newly-registered domains, and monitoring browser telemetry for anomalous navigation events. Note that these compensating controls reduce but do not eliminate risk, as the user-interaction requirement can still be satisfied through phishing or malvertising on otherwise-trusted domains.

Share

CVE-2026-45492 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy