Skip to main content

Microsoft Edge CVE-2026-50521

| EUVDEUVD-2026-41137 HIGH
Use After Free (CWE-416)
2026-07-01 microsoft GHSA-q4g4-rw2v-x4v7
8.3
CVSS 3.1 · Vendor: microsoft
Temporal: 7.2
Share

Severity by source

Vendor (microsoft) PRIMARY
8.3 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CIRCL (temporal)
7.2 HIGH
cvss
vuln.today AI
7.6 HIGH

Network-reachable low-complexity UAF, but browser exploitation realistically needs victim to render attacker content (UI:R) and some privilege (PR:L); C/I high, A partial per vendor.

3.1 AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 20:52 vuln.today
CVE Published
Jul 01, 2026 - 20:14 cve.org
HIGH 8.3

DescriptionCVE.org

Use after free in Microsoft Edge (Chromium-based) allows an authorized attacker to execute code over a network.

AnalysisAI

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw that lets an authorized attacker run arbitrary code over a network within the browser process. Microsoft has shipped an official fix and rates it CVSS 8.3; the exploit-maturity metric is Unproven (E:U), meaning no public exploit identified at time of analysis and it is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain authorized/low-privilege browser context
Delivery
Deliver crafted web content to Edge
Exploit
Trigger use-after-free on freed object
Execution
Reclaim heap and control dangling pointer
Impact
Execute arbitrary code in browser process

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold some level of authorization (CVSS PR:L, and the description explicitly calls the actor an 'authorized attacker'), meaning it is not a fully unauthenticated internet-wide attack; the exact privilege - such as a logged-in browser session, a compromised low-privilege renderer, or authenticated access to attacker-served content - is not specified in the provided data and should be confirmed via the MSRC advisory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L yields 8.3 (High), driven by network reachability, low complexity, and high confidentiality/integrity impact, offset by a requirement for some privilege (PR:L) and only partial availability impact (A:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker lures or directs a targeted Edge user to attacker-controlled web content (or leverages an already-authorized foothold implied by PR:L) that triggers the use-after-free, corrupting heap memory to hijack a freed object and execute code in the browser process. Given AC:L, the trigger is reliable once the vulnerable code path is reached, but the temporal metric E:U indicates no public exploit code exists at time of analysis, so exploitation would require original vulnerability-research effort.
Remediation Apply the vendor fix: Patch available per vendor advisory - update Microsoft Edge to the current patched Stable channel build via Edge's built-in update mechanism (edge://settings/help) or your enterprise update ring/WSUS/Intune deployment, referencing https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50521 for the exact fixed version, which is not enumerated in the provided data. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Quantify Edge deployment footprint across the organization and prioritize systems handling sensitive data. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-57983 CRITICAL
10.0 Jul 03

Security-feature bypass in Microsoft Edge (Chromium-based) versions prior to 150.0.4078.48 lets a remote, unauthenticate

CVE-2026-57981 HIGH
8.8 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free memory corruption flaw (CWE-416) th

CVE-2026-57974 HIGH
8.8 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) allows an unauthenticated attacker to run arbitrary code by lur

CVE-2026-56645 HIGH
8.8 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) stems from a heap-based buffer overflow (CWE-122) that a networ

CVE-2026-57985 HIGH
8.8 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) before version 150.0.4078.48 allows an unauthenticated remote a

CVE-2026-58281 HIGH
8.3 Jul 11

Remote code execution in Microsoft Edge (Chromium-based) lets an unauthenticated network attacker run arbitrary code by

CVE-2026-58289 HIGH
8.3 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) before 150.0.4078.48 allows an unauthenticated attacker to run

CVE-2026-58596 HIGH
8.3 Jul 12

Privilege elevation in Microsoft Edge (Chromium-based) lets a network attacker escalate privileges by luring a victim in

CVE-2026-58288 HIGH
8.3 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw th

CVE-2026-58285 HIGH
8.3 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) via a type-confusion flaw (CWE-843) lets an unauthorized attack

CVE-2026-58287 HIGH
8.3 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) allows an unauthorized attacker to run arbitrary code when a vi

CVE-2026-58284 HIGH
8.3 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) allows an unauthorized attacker to break out of the browser's s

Share

CVE-2026-50521 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy