Microsoft Edge users face a remote code execution flaw that can be triggered via crafted web content. Immediate patching is mandatory.
Impact
A single malicious web page can execute arbitrary code on a victim’s machine. The flaw allows attackers to bypass sandbox restrictions and read or modify system files.
Technical Details
CVE‑2026‑25833 is a buffer overflow in the Edge rendering engine. The overflow occurs when processing a specially crafted CSS rule that exceeds the internal stack limit. The vulnerability is exploitable in all supported Edge versions prior to 130.0.2155.56.
The flaw is rated CVSS 9.8 (Critical). Attackers need only to lure a user to a malicious site or send a crafted email containing the exploit string. No additional privileges are required.
Affected Products
- Microsoft Edge 121.x – 129.x
- Microsoft Edge 130.0.2155.0 – 130.0.2155.55
- Legacy EdgeHTML-based Edge 79.x – 79.0.309.71 (if still in use)
Mitigation Steps
- Update Edge. Install the latest security update (version 130.0.2155.56 or newer) from the Microsoft Update Catalog.
- If automatic updates are disabled, run
msiexec /i msedge_setup.exeafter downloading the installer. - For environments that cannot update immediately, disable scripting in Edge via Group Policy:
Computer Configuration → Administrative Templates → Microsoft Edge → Allow JavaScriptset to Disabled. - Monitor network traffic for unusual HTTP requests containing long CSS payloads.
Timeline
- 2026‑04‑12 – CVE disclosed by Microsoft Security Response Center.
- 2026‑04‑15 – Initial advisory released.
- 2026‑04‑20 – Security update 130.0.2155.56 made available.
- 2026‑04‑25 – Advisory updated to include legacy EdgeHTML guidance.
Further Resources
Act now. Apply the latest update or disable scripting to protect against this critical flaw.
Comments
Please log in or register to join the discussion