CVE-2026-58281

Microsoft · Microsoft Edge (Chromium-based)

A deserialization vulnerability in Microsoft Edge (Chromium-based) allows an unauthorized attacker to achieve remote code execution via untrusted data.

Executive summary

A high-severity deserialization vulnerability in Microsoft Edge (Chromium-based) allows an unauthenticated attacker to execute code over a network.

Vulnerability

This is a deserialization of untrusted data flaw (CWE-502). An unauthenticated attacker can exploit this via the network to execute arbitrary code, though successful exploitation typically requires user interaction (UI:R).

Business impact

The ability to execute arbitrary code remotely poses a significant risk to user workstations and organizational networks. With a CVSS score of 8.3, this vulnerability could lead to malware installation, unauthorized access to sensitive browser data, or further lateral movement within the network.

Remediation

Immediate Action: Update all instances of Microsoft Edge to version 150.0.4078.48 or later as provided by Microsoft’s automated update mechanisms.

Proactive Monitoring: Monitor network traffic for suspicious deserialization patterns or unexpected browser behavior following user activity.

Compensating Controls: Ensure that browser-based security policies (such as disabling untrusted plugins) are enforced via Group Policy or Mobile Device Management (MDM).

Exploitation status

Public Exploit Available: No

Analyst recommendation

Given the ubiquity of the browser in corporate environments, this update should be treated as a high priority. Administrators should verify that all endpoints have successfully received the latest security update to mitigate the risk of remote code execution.