CVE-2026-58294

Microsoft · Edge (Chromium-based)

A use-after-free vulnerability in Microsoft Edge (Chromium-based) allows an unauthenticated remote attacker to execute arbitrary code.

Executive summary

A critical use-after-free vulnerability in Microsoft Edge (Chromium-based) permits an unauthenticated attacker to execute arbitrary code on the host system.

Vulnerability

This vulnerability is a Use-After-Free (CWE-416) condition, where the application fails to properly clear pointers to memory after it is deallocated. An unauthenticated attacker can manipulate this state to perform unauthorized code execution via crafted network-based payloads.

Business impact

Successful exploitation allows an attacker to bypass standard security controls, leading to potential data breaches or unauthorized access to the local environment. Given the CVSS score of 7.5, this high-severity flaw necessitates urgent remediation to protect against sophisticated threats targeting browser-based memory vulnerabilities.

Remediation

Immediate Action: Apply the vendor-provided security update by upgrading Microsoft Edge to version 150.0.4078.48 or later.

Proactive Monitoring: Monitor network traffic and endpoint telemetry for suspicious browser activity, such as unexpected child process creation or unusual network connections.

Compensating Controls: Deploy or update endpoint detection and response (EDR) agents to detect and block memory-based exploitation attempts.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the potential for remote code execution, this vulnerability represents a significant risk to organizational assets. Administrators must ensure that all instances of the affected software are updated to the patched version as soon as possible to mitigate risk.