Description
Improper privilege management in Microsoft Edge (Chromium-based) allows an authorized attacker to bypass a security feature locally.
Published: 2026-01-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Security Feature Bypass (local privilege escalation)
Action: Apply Patch
AI Analysis

Impact

Improper privilege management in Microsoft Edge (Chromium-based) enables an authorized user to bypass a built‑in security feature locally. The weakness falls under CWE‑269, indicating a failure in privilege management to enforce the intended access controls. As a result, the attacker can manipulate or extend Edge’s behavior beyond the intended limits, potentially affecting the confidentiality or integrity of user data within the browser context.

Affected Systems

Microsoft Edge (Chromium-based) for Windows. No specific version details are provided; users should consult Microsoft’s update guide for applicable patches.

Risk and Exploitability

The CVSS score of 7.1 signifies a Medium‑High severity. EPSS is under 1 %, indicating a low probability of active exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers must be locally authenticated and able to run Edge; the flaw does not require remote exploitation or elevated system privileges, so the risk is confined to the immediate user session.

Generated by OpenCVE AI on April 16, 2026 at 07:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Microsoft Edge security update that addresses CVE‑2026‑21223.
  • Configure Windows Update or Edge settings to automatically apply security updates without manual action.
  • Reinforce local privilege policies to restrict Edge execution to non‑privileged accounts, reducing the window for abuse until the fix is in place.

Generated by OpenCVE AI on April 16, 2026 at 07:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 22 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Description Microsoft Edge Elevation Service exposes a privileged COM interface that inadequately validates the privileges of the calling process. A standard (non‑administrator) local user can invoke the IElevatorEdge interface method LaunchUpdateCmdElevatedAndWait, causing the service to execute privileged update commands as LocalSystem. This allows a non‑administrator to enable or disable Windows Virtualization‑Based Security (VBS) by modifying protected system registry keys under HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard. Disabling VBS weakens critical platform protections such as Credential Guard, Hypervisor‑protected Code Integrity (HVCI), and the Secure Kernel, resulting in a security feature bypass. Improper privilege management in Microsoft Edge (Chromium-based) allows an authorized attacker to bypass a security feature locally.
Metrics cvssV3_1

{'score': 5.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C'}

Fri, 16 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 21:45:00 +0000

Type Values Removed Values Added
Description Microsoft Edge Elevation Service exposes a privileged COM interface that inadequately validates the privileges of the calling process. A standard (non‑administrator) local user can invoke the IElevatorEdge interface method LaunchUpdateCmdElevatedAndWait, causing the service to execute privileged update commands as LocalSystem. This allows a non‑administrator to enable or disable Windows Virtualization‑Based Security (VBS) by modifying protected system registry keys under HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard. Disabling VBS weakens critical platform protections such as Credential Guard, Hypervisor‑protected Code Integrity (HVCI), and the Secure Kernel, resulting in a security feature bypass.
Title Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
First Time appeared Microsoft
Microsoft edge Chromium
Weaknesses CWE-269
CPEs cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft edge Chromium
References

Subscriptions

Microsoft Edge Chromium
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-01T13:49:21.981Z

Reserved: 2025-12-11T21:02:05.732Z

Link: CVE-2026-21223

cve-icon Vulnrichment

Updated: 2026-01-16T21:50:19.043Z

cve-icon NVD

Status : Modified

Published: 2026-01-16T22:16:25.983

Modified: 2026-02-22T17:16:54.310

Link: CVE-2026-21223

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T08:00:11Z

Weaknesses