Introduction
A remote code execution flaw in Microsoft Edge's own Chromium additions lets an attacker achieve full system compromise simply by luring a user to a crafted webpage. CVE-2026-45495, patched on May 15, 2026, carries a CVSS 3.1 base score of 8.8 and affects every Edge version prior to 148.0.3967.70, making it relevant to virtually every enterprise Edge deployment that has not yet updated.
Technical Information
CVE-2026-45495 is rooted in a combination of three weakness classes, each contributing to the overall exploitability of the flaw:
CWE-20 (Improper Input Validation): The vulnerable component fails to properly validate input, allowing unsafe data to be processed by the browser engine.
CWE-94 (Improper Control of Generation of Code): This weakness enables potential arbitrary code injection, meaning attacker controlled data can influence the generation or execution of code within the browser process.
CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer): Memory corruption risks arise from out of bounds operations, which facilitate the actual remote code execution primitive.
The interplay of these three weaknesses is significant. Input validation failures (CWE-20) allow malicious data to reach code generation logic (CWE-94) and memory handling routines (CWE-119), creating a chain that ultimately grants an attacker arbitrary code execution in the context of the browser process.
CVSS Vector Breakdown
The full CVSS 3.1 vector string provided by Microsoft is:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Breaking this down:
| Metric | Value | Meaning |
|---|---|---|
| Attack Vector | Network | Exploitable remotely over the internet |
| Attack Complexity | Low | No specialized conditions required for exploitation |
| Privileges Required | None | No prior authentication needed |
| User Interaction | Required | User must take an action such as clicking a link |
| Scope | Unchanged | Impact is confined to the vulnerable component |
| Confidentiality Impact | High | Total information disclosure possible |
| Integrity Impact | High | Total compromise of system integrity |
| Availability Impact | High | Complete denial of service potential |
The temporal metrics bring the effective score down to 7.7: Exploit Code Maturity is "Unproven," Remediation Level is "Official Fix," and Report Confidence is "Confirmed."
Attack Flow
Based on the advisory details, exploitation would follow this general sequence:
- The attacker crafts a webpage containing specially designed content that triggers the input validation, code injection, and memory corruption flaws in Edge's proprietary code paths.
- The attacker delivers the malicious URL to the target via phishing email, social engineering, a compromised website, or malicious advertising.
- The victim opens the link in a vulnerable version of Microsoft Edge (any version prior to 148.0.3967.70).
- The crafted content is processed by the vulnerable Edge component, bypassing input validation and triggering memory corruption.
- The attacker achieves arbitrary code execution in the context of the browser process, with potential for full confidentiality, integrity, and availability compromise on the target system.
Edge Specific Vulnerability
An important detail: this is not an upstream Chromium vulnerability that Edge inherited. The May 15 Edge release notes explicitly group CVE-2026-45495 alongside two sibling CVEs (CVE-2026-45494 and CVE-2026-45492), all three being Edge only vulnerabilities remediated in the same build. This tells us the vulnerable code path lives within Microsoft's own additions to the Chromium codebase, not in shared Chromium components. Other Chromium based browsers (Chrome, Brave, Vivaldi) are not affected by this specific flaw.
The public advisories do not detail the specific browser component or rendering engine module where the memory corruption occurs.
Patch Information
Microsoft officially patched CVE-2026-45495 on May 15, 2026 by releasing Microsoft Edge Stable version 148.0.3967.70, built on Chromium 148.0.7778.168. This was confirmed across the MSRC Security Update Guide, Microsoft's Edge security release notes, and third party vulnerability trackers.
On the MSRC advisory page, the Remediation Level is classified as "Official Fix," meaning a complete vendor solution is available, not merely a workaround or temporary hotfix. The base score of 8.8 is tempered to a temporal score of 7.7 precisely because the official fix brings the Remediation Level component down from its maximum.
Because Microsoft Edge is a closed source product, no public source level diff or commit is available for this fix. The patch is delivered exclusively through the standard Edge auto update mechanism. Users and administrators can verify they are protected by confirming their Edge version is 148.0.3967.70 or later.
Enterprise administrators managing Edge deployments via policies or WSUS should ensure this build (or a newer one) has been distributed to all managed endpoints. It is also worth verifying that Edge update policies are configured to allow automatic updates and are not paused, as stale update policies are a common reason enterprise browsers fall behind on security patches.
Microsoft has not provided any interim workarounds or hotfixes for this vulnerability. The only documented remediation is applying the official patch.
Affected Systems and Versions
All Microsoft Edge (Chromium based) versions from 1.0.0.0 up to, but excluding, version 148.0.3967.70 are affected. This encompasses a very broad range of Edge installations.
The fixed version is 148.0.3967.70, based on Chromium 148.0.7778.168.
Organizations should use enterprise software inventory tools to confirm that all Edge installations across their fleet have been updated to version 148.0.3967.70 or later.
Vendor Security History
Microsoft maintains a structured approach to security through its Secure Future Initiative, which prioritizes security above all else and focuses on six prioritized engineering pillars to ensure products are secure by design. The May 15, 2026 Edge Stable release addressed CVE-2026-45495 alongside at least two other Edge specific vulnerabilities (CVE-2026-45494 and CVE-2026-45492), demonstrating a pattern of batching security fixes into coordinated releases. Microsoft's Exploitability Index rating of "Exploitation More Likely" for this CVE reflects the vendor's own assessment that the flaw is a credible near term threat, which adds urgency to patching even in the absence of observed exploitation.
References
- MSRC Security Update Guide: CVE-2026-45495
- CVE Record: CVE-2026-45495
- MITRE CVE API: CVE-2026-45495
- Microsoft Edge Security Release Notes
- Microsoft Edge Stable Channel Release Notes
- Microsoft Edge Update Policy Documentation
- Mondoo Vulnerability Intelligence: CVE-2026-45495
- HKCERT Security Alert (A26-05-32): Multiple Vulnerabilities in Microsoft Edge
- HKCert Security Bulletin: Microsoft Edge Multiple Vulnerabilities
- Microsoft Secure Future Initiative
- Microsoft Secure Future Initiative (SFI) Overview



