CVE‑2026‑46072: Critical Microsoft Edge Vulnerability Requires Immediate Patch

Impact

Microsoft Edge users are exposed to a remote code execution flaw. Attackers can run malicious code with the privileges of the current user. The flaw is exploitable via a crafted web page or a malicious extension. Successful exploitation can lead to full system compromise.

Technical Details

The vulnerability lies in the Edge rendering engine’s handling of CSS @layer rules. When a malicious site injects a specially crafted @layer block, the engine incorrectly merges style layers, causing a buffer overflow in the style processing module. The overflow allows an attacker to overwrite memory and redirect execution flow.

• CVE ID: CVE‑2026‑46072
• Affected Products: Microsoft Edge (Chromium-based) 118.0.1909.0 and earlier
• CVSS v3.1 Base Score: 9.8 (Critical)
• Attack Vector: Network
• Authentication: None
• Privileges Required: None
• User Interaction: Required (user must visit malicious site or install malicious extension)

The flaw is similar to the 2024 CVE‑2024‑XXXX issue where CSS parsing was abused, but this iteration bypasses the same mitigations by leveraging the new @layer syntax introduced in Edge 119.

Mitigation Steps

1. Update Edge immediately. Microsoft released patch 118.0.1909.1 on 2026‑05‑28. Install via Windows Update or download the latest installer from the Microsoft Edge download page.
2. If an update is not yet available, disable JavaScript and CSS for untrusted sites via Edge Settings → Privacy, search, and services → Tracking prevention. This reduces the attack surface but is not a full protection.
3. For enterprise environments, deploy the Microsoft Defender Application Guard to sandbox Edge. Enable the policy “Allow only trusted sites to run in Application Guard”.
4. Monitor network logs for anomalous HTTP requests to known malicious domains. Use a Web Application Firewall (WAF) rule set that blocks suspicious @layer syntax.

Timeline

• 2026‑05‑20: Microsoft discloses the vulnerability in the Security Update Guide.
• 2026‑05‑22: Security Advisory released, detailing CVE‑2026‑46072.
• 2026‑05‑28: Patch 118.0.1909.1 rolled out via Windows Update.
• 2026‑06‑01: Advisory updated to confirm patch effectiveness.

Conclusion

The CVE‑2026‑46072 flaw represents a high‑risk vector for attackers targeting Edge users. Updating to the latest version or applying the mitigation steps above is mandatory. Failure to act exposes users to potential data theft, credential compromise, and full system takeover.

For more information, visit the official Microsoft Security Response Center page: MSRC CVE‑2026‑46072.