Microsoft Edge users face a critical remote code execution flaw. The vulnerability affects all current Edge releases, with a CVSS base score of 9.8. Immediate patching and validation are mandatory.
CVE‑2026‑46076: Microsoft Edge Remote Code Execution
Impact
All users of Microsoft Edge, including Windows 10, Windows 11, and macOS builds, are at risk. An attacker can execute arbitrary code with system privileges by delivering a crafted web page.
Technical Details
The flaw lies in the Edge rendering engine’s handling of the content‑security-policy header. When a malicious site sends a CSP that includes a script-src directive with a non‑standard value, the engine incorrectly resolves the directive, allowing inline scripts to run with elevated privileges. The vulnerability is triggered by a single HTTP request, no user interaction required beyond visiting the page.
- CVE ID: CVE‑2026‑46076
- Affected products: Microsoft Edge 112.0.1722.0 and later, all platforms
- CVSS v3.1 base score: 9.8 (Critical)
- Attack vector: Network
- Privileges required: None
- User interaction: None
The flaw is analogous to the historic Edge “CSP bypass” bugs, but this iteration bypasses all CSP enforcement layers, including the Content Security Policy Level 3 parser.
Timeline
| Date | Event |
|---|---|
| 2026‑04‑12 | CVE assigned by MITRE |
| 2026‑04‑15 | Microsoft publishes advisory and security update |
| 2026‑04‑18 | Patch released to Windows Update, Microsoft Store, and macOS App Store |
| 2026‑04‑20 | Advisory updated with mitigation guidance |
Mitigation Steps
- Apply the patch immediately. Run Windows Update or download the standalone update from the Microsoft Security Update Guide.
- Verify installation. After updating, run
edge --versionto confirm the build is 112.0.1722.0 or higher. - Block malicious sites. Use a reputable web filter or DNS‑based blocker that blocks known malicious domains until the patch is applied.
- Enable CSP enforcement. For internal web applications, enforce strict CSP headers and disable legacy
unsafe-inlinedirectives. - Monitor for exploitation. Check Windows Event Logs for
EdgerelatedSecurityevents, and review web traffic for anomalous requests.
Why It Matters
Edge is the default browser on all Windows devices. A successful exploit grants full control over the victim’s machine, enabling credential theft, ransomware deployment, or persistence mechanisms. The zero‑interaction nature of the attack means users can be compromised simply by visiting a compromised site.
Further Resources
- Microsoft Security Update Guide – CVE‑2026‑46076
- Microsoft Edge Release Notes
- CVE Details – CVE‑2026‑46076
Act now. Update. Verify. Protect.
Comments
Please log in or register to join the discussion