Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability
AnalysisAI
Microsoft Edge (Chromium-based) for Android contains a spoofing vulnerability that allows attackers to manipulate the presentation of content or identity through a network-based attack requiring user interaction. The vulnerability affects Microsoft Edge on Android devices and has a CVSS score of 5.0, indicating moderate severity with low impact on confidentiality, integrity, and availability. While the CVSS vector indicates User Interaction is Required and Attack Complexity is High, the vulnerability is not currently listed as actively exploited in known vulnerability databases, though the Reliability Rating of Confirmed suggests vendor verification.
Technical ContextAI
This spoofing vulnerability in the Chromium-based rendering engine affects how Microsoft Edge for Android renders or validates content authenticity and origin representation. Chromium-based browsers rely on several security mechanisms including Same-Origin Policy, TLS certificate validation, and UI security boundaries to prevent spoofing attacks. The vulnerability likely involves either a flaw in how Edge renders navigation UI elements (address bar, SSL indicators) or improper validation of content origin, allowing an attacker to deceive users about the true source or security status of displayed content. The Chromium architecture's component-based design means the flaw could exist in the browser UI layer, the rendering engine, or the Android-specific integration code. Without an assigned CWE, the root cause classification remains vendor-specific, but typical spoofing vectors in browsers include DOM-based attacks, CSS manipulation of UI elements, or improper handling of frame/window contexts.
RemediationAI
Update Microsoft Edge on Android to the latest available version provided by Microsoft, which will include the security patch for this spoofing vulnerability. Users should enable automatic updates in the Google Play Store settings for Microsoft Edge to receive patches immediately upon release. Until patching is applied, users should avoid clicking links from untrusted sources, verify URLs carefully before entering sensitive credentials (especially on public or untrusted networks), and consider using additional security measures such as biometric authentication where available rather than relying solely on URL verification. Organizations managing Android devices can enforce Microsoft Edge updates through mobile device management (MDM) solutions if available. Additional mitigations include restricting access to sensitive sites to known-good network connections and educating users about spoofing risks, though these do not replace the primary fix of applying the security patch.
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12170