Microsoft Edge users face a critical vulnerability that allows remote code execution via specially crafted web content. The flaw, rated CVSS 9.8, impacts all current and legacy Edge releases on Windows, macOS, and Linux. Immediate patching and strict content filtering are mandatory.
CVE‑2026‑42960: Remote Code Execution in Microsoft Edge
Immediate Impact
- All Microsoft Edge browsers on Windows, macOS, and Linux are affected.
- Remote attackers can execute arbitrary code with the privileges of the current user.
- The flaw is exploitable from a malicious website or via a phishing email attachment.
Technical Details
The vulnerability resides in the Edge HTML rendering engine. A malformed HTML5 custom element triggers a buffer overflow during the parsing of the `<script>` tag. When the overflow occurs, the engine miscalculates the stack pointer, allowing an attacker to inject and execute native code.
- The flaw is identified as CVE‑2026‑42960.
- CVSS base score: 9.8 (Critical).
- Attack vector: Network.
- Privileges required: None.
- User interaction: None.
Affected Versions
| Platform | Affected Releases | Patching Status |
|---|---|---|
| Windows | Edge 115.0.1901.0 – 115.0.1901.1 | Patched as of 2026‑05‑15 |
| macOS | Edge 115.0.1901.0 – 115.0.1901.1 | Patched as of 2026‑05‑15 |
| Linux | Edge 115.0.1901.0 – 115.0.1901.1 | Patched as of 2026‑05‑15 |
Older Edge 114 and below are also vulnerable and require an upgrade to the latest version.
Mitigation Steps
- Update immediately: Install the latest security patch released on 2026‑05‑15. Download from the official Microsoft Update Catalog or use Windows Update.
- Disable JavaScript in the browser settings if an update cannot be applied immediately. This reduces the attack surface but may break legitimate sites.
- Enable SmartScreen and Web Protection features to block malicious sites.
- Educate users about phishing emails that may contain malicious links or attachments.
- Deploy endpoint protection that blocks known exploit patterns.
Timeline
- 2026‑05‑10: Microsoft releases advisory and patches.
- 2026‑05‑12: Security Update Guide published.
- 2026‑05‑15: Patches available via Windows Update and Microsoft Edge update channel.
- 2026‑05‑20: Advisory advises all users to verify patch installation.
Further Resources
- Microsoft Security Update Guide – CVE‑2026‑42960
- Edge Release Notes
- SmartScreen Filter Documentation
Act now. Failure to patch exposes systems to immediate compromise.
Comments
Please log in or register to join the discussion