Urgent: CVE‑2026‑4890 – Critical Microsoft Edge Vulnerability Exposes User Data

Impact

A single malicious web page can execute arbitrary code on a victim’s machine. The flaw resides in the Edge rendering engine. Attackers can steal credentials, install malware, or hijack sessions.

Technical Details

• CVE ID: CVE‑2026‑4890
• Affected Products: Microsoft Edge 120.0.2210.0 and later, Windows 11 and 10 (all builds)
• Version Range: Edge 120.0.2210.0 – 120.0.2210.999
• CVSS v3.1: 10.0 (Critical)
• Exploit Vector: Remote, network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: Required – user must visit a malicious site
• Confidentiality Impact: Complete
• Integrity Impact: Complete
• Availability Impact: Partial

The vulnerability stems from a buffer overflow in the layout engine when parsing malformed CSS selectors. An attacker can craft a CSS rule that overflows a stack buffer, overwriting return addresses and redirecting execution to attacker‑controlled code. The bug is triggered by a single line of CSS embedded in an HTML page. No additional payload delivery is required.

How It Works

1. User visits a malicious URL. The page contains a hidden <style> tag with a crafted selector.
2. Edge parses the selector. The parser fails to validate the length of the selector string.
3. Buffer overflow occurs. The stack is overwritten, allowing the attacker to inject shellcode.
4. Code executes with user privileges. The attacker gains full control of the browser process.

Because the exploit requires only a single visit, it is suitable for phishing campaigns and drive‑by downloads.

Mitigation Steps

1. Update Edge immediately. Install the latest patch from Windows Update or Microsoft Edge Insider.
   • Windows Update: Search for "Microsoft Edge 120.0.2210.100".
   • Edge Insider: Switch to the Stable channel and install.
2. Disable JavaScript for untrusted sites. In Edge settings, turn off JavaScript for sites not in your whitelist.
3. Enable SmartScreen. Ensure the built‑in phishing and malware protection is active.
4. Apply the vendor‑provided hotfix. Download the standalone update from the Microsoft Security Response Center.
5. Audit network traffic. Look for unusual CSS requests from unknown domains.
6. Educate users. Warn staff about suspicious links and phishing emails.

Timeline

• 2026‑04‑12: CVE‑2026‑4890 disclosed by Microsoft.
• 2026‑04‑15: Security update released for Edge 120.0.2210.100.
• 2026‑04‑20: Advisory issued to all Windows 10 and 11 users.
• 2026‑05‑01: Advisory updated with additional mitigation guidance.

What to Do Now

• Verify your Edge version using edge://settings/help.
• If below 120.0.2210.100, update immediately.
• Monitor logs for failed authentication attempts.
• Consider deploying a Web Application Firewall to block malicious CSS payloads.

Additional Resources

• Microsoft Edge Release Notes
• CVE‑2026‑4890 Details
• Edge Security Documentation

Stay alert. Patch now. Avoid compromise.