Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
AnalysisAI
Remote code execution in Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70 allows attackers to execute arbitrary code on victim systems when a user is lured to a malicious webpage. The vulnerability stems from improper input validation (CWE-20) and carries a CVSS 3.1 score of 8.8 with high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Technical ContextAI
Microsoft Edge (Chromium-based) is Microsoft's browser built on the open-source Chromium engine, sharing rendering and JavaScript components (Blink, V8) with Google Chrome. The CWE-20 (Improper Input Validation) classification indicates the browser fails to properly sanitize or validate input data - typically web content such as crafted HTML, JavaScript, or other resources - before processing. The CPE string cpe:2.3:a:microsoft:microsoft_edge_(chromium-based) confirms the affected component is the desktop Edge application rather than the legacy EdgeHTML variant. Tags referencing both Google and Microsoft suggest this issue may overlap with an upstream Chromium defect propagated downstream to Edge.
RemediationAI
Vendor-released patch: Microsoft Edge (Chromium-based) 148.0.3967.70 or later - update via Edge's built-in updater (edge://settings/help) or through enterprise management channels such as Microsoft Intune, WSUS, or the Microsoft Edge for Business update channels, referencing https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45495 for advisory details. As compensating controls before patching, restrict browsing to trusted sites via SmartScreen and Microsoft Defender SmartScreen enforcement, enable Microsoft Defender Application Guard for Edge to isolate untrusted content in a Hyper-V container (note: this adds resource overhead and breaks some extensions), and consider deploying group policy to disable JIT for V8 via the JavaScriptJitEnabled policy (side effect: notable performance degradation on JS-heavy sites). No alternative browser substitution is recommended as a security control since other Chromium browsers typically share the upstream defect.
Same weakness CWE-20 – Improper Input Validation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30785
GHSA-52mp-27cf-fhvh