A high-severity remote code execution vulnerability in Microsoft Edge is actively rated “Exploitation More Likely,” putting hundreds of millions of users at immediate risk if they haven’t patched to the latest browser version.
Microsoft disclosed CVE-2026-45495 on May 15, 2026, as part of its routine security advisory cycle, but the severity of this flaw demands immediate attention from enterprise IT teams and everyday users alike.
The vulnerability affects Microsoft Edge (Chromium-based). It carries a CVSS 3.1 base score of 8.8 (High) and an adjusted environmental score of 7.7, making it one of the most critical browser-side vulnerabilities disclosed so far in 2026.
With browser-based attacks becoming increasingly sophisticated, this flaw is a stark reminder that even trusted, widely deployed software can become the weakest link in your security posture.
Microsoft Edge RCE Flaw
CVE-2026-45495 is a Remote Code Execution (RCE) vulnerability rooted in Improper Input Validation (CWE-20) within Microsoft Edge’s Chromium-based engine.
Microsoft, acting as the assigning CNA (Common Vulnerabilities and Exposures Numbering Authority), confirmed the flaw and released an official patch the same day as the disclosure, May 15, 2026, through Edge version 148.0.3967.70, based on Chromium 148.0.7778.168.
The vulnerability is network-exploitable with low attack complexity, meaning a threat actor does not need specialized knowledge or privileged access to exploit it.
The only requirement is typically user interaction, such as a victim clicking a malicious link or visiting a specially crafted webpage.Once triggered, an attacker can gain full control over the affected system, with a high impact on the confidentiality, integrity, and availability triad that defines total system compromise.
The attack vector is purely network-based (AV:N), making it exploitable remotely from anywhere on the internet without physical access to the target machine.
Because attack complexity is rated Low (AC:L), attackers can achieve repeatable, reliable exploitation simply by luring users to malicious web pages or embedding exploit code in drive-by download campaigns. No special privileges are required on the attacker’s end, lowering the barrier significantly for opportunistic threat actors.
Microsoft’s exploitability assessment has rated this flaw as “Exploitation More Likely,” a designation that signals the security community should treat this as an imminent threat rather than a theoretical one.
This is compounded by the fact that the Tenable Nessus security scanner (Plugin ID 315006) confirmed the same Edge update bundle also patches.
Two additional Chromium engine flaws, CVE-2026-8587 (use-after-free in Extensions) and CVE-2026-8580 (use-after-free in Mojo, enabling sandbox escape via crafted HTML), indicating a cluster of serious RCE-class bugs in the same release cycle.
Affected Versions
Any installation of Microsoft Edge (Chromium-based) on Windows before version 148.0.3967.70 is vulnerable. This applies across enterprise environments, government networks, educational institutions, and personal devices.
The GovCERT Hong Kong simultaneously issued Alert A26-05-32, confirming that the potential impact includes remote code execution, denial-of-service, information disclosure, security restriction bypass, and spoofing.
This vulnerability does not exist in isolation. The CVE database now holds over 305,000 recorded vulnerabilities, with projections of more than 30,000 new disclosures in 2026 alone.
Browser-based RCE flaws remain among the most exploited vulnerability classes because of their direct exposure to untrusted web content.
Remediation
Microsoft released an official fix on May 15, 2026, and the remediation level is confirmed as “Official Fix” with full report confidence.
The patched version of Microsoft Edge, 148.0.3967.70, addresses CVE-2026-45495 and concurrent Chromium-engine flaws that could allow sandbox escapes and arbitrary code execution.
Users and administrators should verify their Edge installations immediately and enable automatic updates if not already active.
Immediate remediation steps:
- Update Microsoft Edge to version 148.0.3967.70 or later via
edge://settings/help - Verify Chromium engine version shows 148.0.7778.168
- Deploy the update via Microsoft Endpoint Configuration Manager or Intune in enterprise environments
- Monitor endpoint telemetry for any anomalous browser process behavior that may indicate pre-patch exploitation
- Enable Microsoft Edge’s Enhanced Security Mode as a defense-in-depth measure, as it has been shown to mitigate similar Chromium-engine exploits.
CVE-2026-45495 is not an isolated incident in the Chromium browser ecosystem. Earlier in 2026, CISA added CVE-2026-2441, another high-severity Chromium flaw, to its Known Exploited Vulnerabilities (KEV) catalog after confirmed in-the-wild exploitation across Chrome and Edge installations.
That flaw triggered emergency patch guidance from CISA and illustrated just how rapidly browser engine vulnerabilities move from disclosure to active exploitation.
Security teams should treat any “Exploitation More Likely” Microsoft advisory with the same urgency as a CISA KEV catalog entry.
FAQ
Q1: What systems are affected by CVE-2026-45495?
All Microsoft Edge (Chromium-based) installations running versions before 148.0.3967.70 on Windows are vulnerable and require immediate patching.
Q2: Can this vulnerability be exploited without the user doing anything?
No, user interaction is required, meaning a victim must click a malicious link or visit a crafted webpage for the exploit to execute.
Q3: Has CVE-2026-45495 been exploited in the wild?
Microsoft rates this as “Exploitation More Likely,” though exploit code maturity is currently listed as “Unproven,” meaning active in-the-wild exploitation has not yet been confirmed.
Q4: What is the official fix for CVE-2026-45495?
Microsoft released Edge version 148.0.3967.70 (based on Chromium 148.0.7778.168) on May 15, 2026, as an official patch update, available immediately via your browser settings or an enterprise deployment tool.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
