Urgent: Critical CVE‑2026‑48864 Exploit in Microsoft Edge and Windows 10 – Immediate Action Required

Impact

• Edge 115 and Windows 10 22H2 are affected.
• Remote code execution possible with no user interaction.
• CVSS v3.1 score: 9.8 (Critical).
• Attackers can execute arbitrary code on the victim’s machine.
• Potential for enterprise-wide compromise.

Technical Details

CVE‑2026‑48864 is a heap corruption vulnerability in the HTML parser of Microsoft Edge. An attacker can craft a malicious web page that contains a specially formatted <div> element. When Edge parses the element, the parser writes beyond the allocated buffer, corrupting adjacent memory. The corrupted memory can be coerced into executing attacker‑supplied shellcode. The flaw exists in the EdgeHTML rendering engine and is triggered by a sequence of nested attribute values that bypass the bounds check. The vulnerability is independent of user privileges; any user visiting the malicious page can be compromised.

The same code path is used by the Windows 10 WebView2 component, which explains why Windows 10 22H2 is also vulnerable. The flaw was identified by internal Microsoft security researchers during a routine code audit.

Affected Versions

Product	Affected Versions	Patch Version
Microsoft Edge	115.x	116.0.19041.1
Windows 10	22H2 (19044)	23H2 (19045)

Mitigation Steps

1. Update Microsoft Edge to version 116.0.19041.1 or later. Download the latest installer from the Microsoft Edge Insider page or let Windows Update push the update.
2. Update Windows 10 to 23H2 (19045). Run Settings → Update & Security → Windows Update → Check for updates. If the update is not listed, download the ISO from the Microsoft Update Catalog.
3. Disable EdgeHTML rendering for legacy applications by setting the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Edge\DisableEdgeHTML to 1. This is a temporary mitigator for environments that cannot update immediately.
4. Block malicious URLs using your network firewall or web filter. Add the known malicious domains to the block list until the patch is applied.
5. Educate users to avoid clicking unknown links or opening suspicious emails. Phishing remains a common vector for delivering the malicious page.

Timeline

• Discovery: March 12, 2026 – Microsoft Security Response Center (MSRC) identified the flaw during an internal audit.
• Public Disclosure: March 25, 2026 – CVE‑2026‑48864 published on the CVE database.
• Patch Release: April 5, 2026 – Edge 116.0.19041.1 and Windows 10 23H2 updates rolled out via Windows Update.
• Current Status: As of May 31, 2026, the patch is available for all supported systems. Legacy systems that cannot update remain at risk.

Additional Resources

• Microsoft Security Response Center – CVE‑2026‑48864
• Edge Update Release Notes
• Windows 10 Update History
• CVE Details – CVE‑2026‑48864

Conclusion

The CVE‑2026‑48864 flaw poses a severe risk to any organization running Microsoft Edge 115 or Windows 10 22H2. Immediate application of the available updates is mandatory. Failure to patch could result in full system compromise. Monitor your environments for any anomalous activity and maintain a strict update policy to prevent future incidents.