CVE‑2026‑42923: Critical Remote Code Execution in Microsoft Edge WebView2

Impact

• Remote code execution on any Windows machine that loads a crafted web page.
• No user interaction required beyond normal browsing.
• Data exfiltration and system takeover possible.

Affected Products

• Microsoft Edge 120.0.1587.57 through 124.0.1999.0.
• WebView2 Runtime 1.0.2242.0 and earlier.
• Embedded WebView2 applications built with older SDKs.

Technical Details

• The flaw lies in the DOM parsing engine of WebView2, where a malformed HTML5 attribute bypasses bounds checking.
• Attackers craft a URL containing a specially‑encoded attribute that triggers a stack overflow.
• The overflow leads to an arbitrary write that can inject shellcode into the process memory.
• Exploitation requires Elevated privileges only if the target application runs as administrator.

CVSS Score

• Base Score: 9.8 (Critical)
• Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

• 2026‑04‑12: CVE disclosed by Microsoft Security Response Center (MSRC).
• 2026‑04‑15: Initial advisory released.
• 2026‑04‑18: Patch available for Edge and WebView2.
• 2026‑04‑20: Security Update Guide updated.

Mitigation Steps

1. Update Microsoft Edge to version 124.0.1999.0 or later.
2. Install the WebView2 Runtime update 1.0.2242.0 or newer.
3. For developers, upgrade the WebView2 SDK to the latest release and recompile.
4. If immediate update is impossible, disable WebView2 in the application or block the component via Group Policy.
5. Verify the update by running msedge.exe --version and webview2runtime.exe --version.

Resources

• Microsoft Security Advisory for CVE‑2026‑42923
• WebView2 Runtime download
• Edge Release Notes
• Developer guidance on secure WebView2 usage

Conclusion

The vulnerability is critical and actively exploitable. Apply the latest updates immediately. Monitor application logs for unusual activity. Stay informed through the official MSRC channels for further patches or workarounds.