CVE-2026-58281
Microsoft · Microsoft Edge (Chromium-based)
A deserialization vulnerability in Microsoft Edge (Chromium-based) allows an unauthorized attacker to achieve remote code execution via untrusted data.
Executive summary
A high-severity deserialization vulnerability in Microsoft Edge (Chromium-based) allows an unauthenticated attacker to execute code over a network.
Vulnerability
This is a deserialization of untrusted data flaw (CWE-502). An unauthenticated attacker can exploit this via the network to execute arbitrary code, though successful exploitation typically requires user interaction (UI:R).
Business impact
The ability to execute arbitrary code remotely poses a significant risk to user workstations and organizational networks. With a CVSS score of 8.3, this vulnerability could lead to malware installation, unauthorized access to sensitive browser data, or further lateral movement within the network.
Remediation
Immediate Action: Update all instances of Microsoft Edge to version 150.0.4078.48 or later as provided by Microsoft’s automated update mechanisms.
Proactive Monitoring: Monitor network traffic for suspicious deserialization patterns or unexpected browser behavior following user activity.
Compensating Controls: Ensure that browser-based security policies (such as disabling untrusted plugins) are enforced via Group Policy or Mobile Device Management (MDM).
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the ubiquity of the browser in corporate environments, this update should be treated as a high priority. Administrators should verify that all endpoints have successfully received the latest security update to mitigate the risk of remote code execution.