Skip to main content

Microsoft Edge CVE-2026-55945

| EUVDEUVD-2026-41645 MEDIUM
Race Condition (CWE-362)
2026-07-03 microsoft GHSA-vr8w-r9rr-cvrq
4.2
CVSS 3.1 · Vendor: microsoft
Temporal: 3.7
Share

Severity by source

Vendor (microsoft) PRIMARY
4.2 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
CIRCL (temporal)
3.7 LOW
cvss
vuln.today AI
2.8 LOW

Local-only access (AV:L), race condition demands precise timing (AC:H), low-privilege authorized attacker; scope change for cross-boundary disclosure; no integrity or availability impact per disclosure-only description.

3.1 AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 03, 2026 - 22:01 vuln.today

DescriptionCVE.org

Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Edge (Chromium-based) allows an authorized attacker to disclose information locally.

AnalysisAI

Race condition in Microsoft Edge (Chromium-based) permits a locally authenticated, low-privileged attacker to disclose information beyond the intended security boundary, with the CVSS scope change (S:C) indicating impact can extend outside the directly vulnerable component - potentially across process or sandbox boundaries within the browser. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog, placing it in a lower operational priority tier despite the scope change. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local low-privilege session on target host
Delivery
Launch or interact with Microsoft Edge browser
Exploit
Initiate concurrent operations targeting shared resource
Execution
Win race condition timing window
Persist
Read cross-boundary information from privileged Edge component
Impact
Exfiltrate disclosed data locally

Vulnerability AssessmentAI

Exploitation Exploitation requires a locally authenticated session with at least standard user (low) privileges on the target Windows host - remote unauthenticated exploitation is not possible per AV:L. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The overall risk is moderate-to-low in practice. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A threat actor with a low-privileged local account on a Windows system running Microsoft Edge triggers a concurrent operation - for example, by repeatedly initiating browser actions that race against a shared resource access - and wins the timing window to read memory or data belonging to a higher-privileged Edge process component. No public proof-of-concept code exists at time of analysis, and the AC:H metric reflects that reliable exploitation requires careful timing and is not trivially automatable.
Remediation Apply the vendor-released patch by updating Microsoft Edge to the latest available version via the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55945. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-57983 CRITICAL
10.0 Jul 03

Security-feature bypass in Microsoft Edge (Chromium-based) versions prior to 150.0.4078.48 lets a remote, unauthenticate

CVE-2026-57981 HIGH
8.8 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free memory corruption flaw (CWE-416) th

CVE-2026-57974 HIGH
8.8 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) allows an unauthenticated attacker to run arbitrary code by lur

CVE-2026-56645 HIGH
8.8 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) stems from a heap-based buffer overflow (CWE-122) that a networ

CVE-2026-57985 HIGH
8.8 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) before version 150.0.4078.48 allows an unauthenticated remote a

CVE-2026-50521 HIGH
8.3 Jul 01

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw th

CVE-2026-58281 HIGH
8.3 Jul 11

Remote code execution in Microsoft Edge (Chromium-based) lets an unauthenticated network attacker run arbitrary code by

CVE-2026-58289 HIGH
8.3 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) before 150.0.4078.48 allows an unauthenticated attacker to run

CVE-2026-58596 HIGH
8.3 Jul 12

Privilege elevation in Microsoft Edge (Chromium-based) lets a network attacker escalate privileges by luring a victim in

CVE-2026-58288 HIGH
8.3 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw th

CVE-2026-58285 HIGH
8.3 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) via a type-confusion flaw (CWE-843) lets an unauthorized attack

CVE-2026-58287 HIGH
8.3 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) allows an unauthorized attacker to run arbitrary code when a vi

Share

CVE-2026-55945 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy