ZeroPath at Black Hat USA 2026

Quick Look: Microsoft Edge CVE-2026-45495 Remote Code Execution via Memory Corruption and Code Injection

A brief summary of CVE-2026-45495, a high severity remote code execution vulnerability in Microsoft Edge (Chromium based) with a CVSS score of 8.8, including patch details and affected version information.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-18

Quick Look: Microsoft Edge CVE-2026-45495 Remote Code Execution via Memory Corruption and Code Injection
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A remote code execution flaw in Microsoft Edge's own Chromium additions lets an attacker achieve full system compromise simply by luring a user to a crafted webpage. CVE-2026-45495, patched on May 15, 2026, carries a CVSS 3.1 base score of 8.8 and affects every Edge version prior to 148.0.3967.70, making it relevant to virtually every enterprise Edge deployment that has not yet updated.

Technical Information

CVE-2026-45495 is rooted in a combination of three weakness classes, each contributing to the overall exploitability of the flaw:

CWE-20 (Improper Input Validation): The vulnerable component fails to properly validate input, allowing unsafe data to be processed by the browser engine.

CWE-94 (Improper Control of Generation of Code): This weakness enables potential arbitrary code injection, meaning attacker controlled data can influence the generation or execution of code within the browser process.

CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer): Memory corruption risks arise from out of bounds operations, which facilitate the actual remote code execution primitive.

The interplay of these three weaknesses is significant. Input validation failures (CWE-20) allow malicious data to reach code generation logic (CWE-94) and memory handling routines (CWE-119), creating a chain that ultimately grants an attacker arbitrary code execution in the context of the browser process.

CVSS Vector Breakdown

The full CVSS 3.1 vector string provided by Microsoft is:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Breaking this down:

MetricValueMeaning
Attack VectorNetworkExploitable remotely over the internet
Attack ComplexityLowNo specialized conditions required for exploitation
Privileges RequiredNoneNo prior authentication needed
User InteractionRequiredUser must take an action such as clicking a link
ScopeUnchangedImpact is confined to the vulnerable component
Confidentiality ImpactHighTotal information disclosure possible
Integrity ImpactHighTotal compromise of system integrity
Availability ImpactHighComplete denial of service potential

The temporal metrics bring the effective score down to 7.7: Exploit Code Maturity is "Unproven," Remediation Level is "Official Fix," and Report Confidence is "Confirmed."

Attack Flow

Based on the advisory details, exploitation would follow this general sequence:

  1. The attacker crafts a webpage containing specially designed content that triggers the input validation, code injection, and memory corruption flaws in Edge's proprietary code paths.
  2. The attacker delivers the malicious URL to the target via phishing email, social engineering, a compromised website, or malicious advertising.
  3. The victim opens the link in a vulnerable version of Microsoft Edge (any version prior to 148.0.3967.70).
  4. The crafted content is processed by the vulnerable Edge component, bypassing input validation and triggering memory corruption.
  5. The attacker achieves arbitrary code execution in the context of the browser process, with potential for full confidentiality, integrity, and availability compromise on the target system.

Edge Specific Vulnerability

An important detail: this is not an upstream Chromium vulnerability that Edge inherited. The May 15 Edge release notes explicitly group CVE-2026-45495 alongside two sibling CVEs (CVE-2026-45494 and CVE-2026-45492), all three being Edge only vulnerabilities remediated in the same build. This tells us the vulnerable code path lives within Microsoft's own additions to the Chromium codebase, not in shared Chromium components. Other Chromium based browsers (Chrome, Brave, Vivaldi) are not affected by this specific flaw.

The public advisories do not detail the specific browser component or rendering engine module where the memory corruption occurs.

Patch Information

Microsoft officially patched CVE-2026-45495 on May 15, 2026 by releasing Microsoft Edge Stable version 148.0.3967.70, built on Chromium 148.0.7778.168. This was confirmed across the MSRC Security Update Guide, Microsoft's Edge security release notes, and third party vulnerability trackers.

On the MSRC advisory page, the Remediation Level is classified as "Official Fix," meaning a complete vendor solution is available, not merely a workaround or temporary hotfix. The base score of 8.8 is tempered to a temporal score of 7.7 precisely because the official fix brings the Remediation Level component down from its maximum.

Because Microsoft Edge is a closed source product, no public source level diff or commit is available for this fix. The patch is delivered exclusively through the standard Edge auto update mechanism. Users and administrators can verify they are protected by confirming their Edge version is 148.0.3967.70 or later.

Enterprise administrators managing Edge deployments via policies or WSUS should ensure this build (or a newer one) has been distributed to all managed endpoints. It is also worth verifying that Edge update policies are configured to allow automatic updates and are not paused, as stale update policies are a common reason enterprise browsers fall behind on security patches.

Microsoft has not provided any interim workarounds or hotfixes for this vulnerability. The only documented remediation is applying the official patch.

Affected Systems and Versions

All Microsoft Edge (Chromium based) versions from 1.0.0.0 up to, but excluding, version 148.0.3967.70 are affected. This encompasses a very broad range of Edge installations.

The fixed version is 148.0.3967.70, based on Chromium 148.0.7778.168.

Organizations should use enterprise software inventory tools to confirm that all Edge installations across their fleet have been updated to version 148.0.3967.70 or later.

Vendor Security History

Microsoft maintains a structured approach to security through its Secure Future Initiative, which prioritizes security above all else and focuses on six prioritized engineering pillars to ensure products are secure by design. The May 15, 2026 Edge Stable release addressed CVE-2026-45495 alongside at least two other Edge specific vulnerabilities (CVE-2026-45494 and CVE-2026-45492), demonstrating a pattern of batching security fixes into coordinated releases. Microsoft's Exploitability Index rating of "Exploitation More Likely" for this CVE reflects the vendor's own assessment that the flaw is a credible near term threat, which adds urgency to patching even in the absence of observed exploitation.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization