Description
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Published: 2026-05-18
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Microsoft Edge (Chromium-based) contains a vulnerability that allows an attacker to execute arbitrary code within the browser process. The flaw is classified under CWE‑119, CWE‑20, CWE‑35 and CWE‑94 and can result in a full compromise of the user’s machine. The impact on confidentiality, integrity and availability can be substantial, permitting the attacker to read, modify or delete data and potentially spread laterally within a network.

Affected Systems

The affected product is Microsoft Edge (Chromium‑based). No specific releases were identified in the advisory, so until Microsoft publishes a patch all current versions of the browser should be considered at risk.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity. EPSS is 0.00195, indicating a very low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is a malicious or compromised web page that the user opens in Edge, requiring user interaction with the browser but no additional privileges. The exploit can be executed from a remote host without needing elevated rights on the target system.

Generated by OpenCVE AI on May 26, 2026 at 19:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Immediately install the Microsoft Edge security update that fixes the out‑of‑bounds memory write (CWE‑119) and the input validation (CWE‑20) flaw, as well as the race condition (CWE‑35) and code injection (CWE‑94) vulnerabilities.
  • Configure a Web Application Firewall or URL filtering solution to block traffic to known malicious domains that could trigger the buffer overflow or code injection pathways used by this exploit.
  • Continually monitor Microsoft advisories and apply any subsequent patches or mitigations that address remaining weaknesses, especially those related to input validation and code injection, to maintain a hardened environment.

Generated by OpenCVE AI on May 26, 2026 at 19:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-35

Tue, 19 May 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:-:*:*:*

Mon, 18 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 18 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20
CWE-94

Mon, 18 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Title Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft edge Chromium
CPEs cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft edge Chromium
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Edge Chromium
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-05T16:39:51.104Z

Reserved: 2026-05-12T16:07:22.618Z

Link: CVE-2026-45495

cve-icon Vulnrichment

Updated: 2026-05-18T17:43:08.902Z

cve-icon NVD

Status : Modified

Published: 2026-05-18T18:17:38.600

Modified: 2026-05-26T17:16:47.273

Link: CVE-2026-45495

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T20:00:15Z

Weaknesses