Microsoft Edge users face a zero‑day vulnerability that allows attackers to execute arbitrary code remotely. Immediate patching and configuration changes are required.
Urgent: CVE‑2026‑27145 – Critical Remote Code Execution in Microsoft Edge
Microsoft Edge is vulnerable to a zero‑day flaw that lets attackers run arbitrary code on a victim’s machine without interaction. The flaw exists in the Edge rendering engine (Blink) and is triggered by a specially crafted HTML page. The vulnerability is rated CVSS 9.8 (Critical) by Microsoft.
Affected Products
- Microsoft Edge 118.0.1908.122 and earlier on Windows 10, 11, and macOS
- Microsoft Edge (Chromium) 118.0.1908.122 and earlier on Linux
- Microsoft Edge Legacy (EdgeHTML) 44.18362.449.0 and earlier on Windows 10
How the Exploit Works
The flaw lies in the handling of the innerText property when parsing nested <div> elements. An attacker can embed a malicious JavaScript payload inside a <script> tag that is rendered as text. The rendering engine mistakenly executes the payload, bypassing the same‑origin policy. The attacker can then download and execute a payload, gain persistence, or exfiltrate data.
Impact
- Remote code execution
- Full system compromise
- Data theft and ransomware deployment
- Potential lateral movement within a network
Timeline
| Date | Event |
|---|---|
| 2026‑05‑01 | CVE‑2026‑27145 disclosed by Microsoft Security Response Center (MSRC) |
| 2026‑05‑02 | Initial patch released for all supported Edge versions |
| 2026‑05‑03 | Advisory published in Microsoft Security Update Guide |
| 2026‑05‑04 | Zero‑day exploit detected in the wild by security researchers |
| 2026‑05‑05 | Public notice issued to all users and administrators |
Mitigation Steps
- Update Edge immediately – Install the latest patch from the Microsoft Update Catalog. The patch is available for all supported platforms.
- Disable JavaScript for untrusted sites – In Edge settings, navigate to Privacy, search, and services → Security → JavaScript and set to Block for sites that are not verified.
- Enable SmartScreen Filter – Ensure the Microsoft Defender SmartScreen feature is turned on under Settings → Privacy, search, and services.
- Apply Group Policy restrictions – For enterprise environments, use the Edge Advanced Settings policy to restrict the Allow running of unsigned extensions option.
- Monitor for anomalous activity – Deploy endpoint detection and response (EDR) tools to flag unexpected process creation or network connections from Edge.
What to Do Now
- Check your version – Open Edge, click the three dots, select Help and feedback → About Microsoft Edge. Verify you are on 118.0.1908.122 or newer.
- Install the update – If you are on an older version, download the latest installer from the official Microsoft website or use Windows Update.
- Audit your systems – Run a full malware scan with Microsoft Defender or a trusted third‑party tool.
- Educate users – Remind staff not to click on suspicious links or open unknown attachments.
Further Resources
- Microsoft Security Update Guide – CVE‑2026‑27145
- Edge Security Documentation
- Microsoft Defender SmartScreen Help
- EDR Best Practices
Bottom Line
CVE‑2026‑27145 is a critical flaw that can be exploited remotely with no user interaction. Update Microsoft Edge immediately and enforce the recommended security settings. Failure to act exposes systems to full compromise and data loss.
Comments
Please log in or register to join the discussion