CVE-2026-58299

Microsoft · Edge (Chromium-based)

A Time-of-check Time-of-use (TOCTOU) race condition in Microsoft Edge for Android allows an unauthenticated, remote attacker to execute arbitrary code.

Executive summary

A critical TOCTOU race condition in Microsoft Edge for Android permits remote code execution, posing a significant risk to device integrity.

Vulnerability

The vulnerability is a TOCTOU race condition occurring within the browser's processing logic. An unauthenticated attacker can exploit this flaw over a network to achieve code execution on the target device.

Business impact

Successful exploitation of this vulnerability could lead to a complete compromise of the affected device, potentially granting an attacker access to sensitive user data and credentials. Given the CVSS score of 7.5, this is categorized as a High severity issue that requires immediate attention to prevent unauthorized system access and potential lateral movement within the mobile environment.

Remediation

Immediate Action: Update Microsoft Edge for Android to version 150.0.4078.48 or later via the Google Play Store immediately.

Proactive Monitoring: Monitor device traffic and application logs for unusual network activity or unexpected process execution patterns that may indicate a race condition exploit attempt.

Compensating Controls: Ensure that Google Play Protect is enabled on all Android devices to assist in detecting and blocking malicious applications that may attempt to leverage such vulnerabilities.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the severity of potential remote code execution, organizations should prioritize the deployment of the latest security updates across all managed mobile devices. Failure to patch creates a tangible risk of device compromise, necessitating an immediate update cycle for all users running vulnerable versions of the browser.