Microsoft Edge versions 118.0.19041.1 through 118.0.19041.3 are vulnerable to a remote code execution flaw (CVE‑2026‑5419). The flaw allows attackers to execute arbitrary code with elevated privileges via a crafted HTML page. Immediate patching is required.
CVE‑2026‑5419 – Microsoft Edge Remote Code Execution
Impact
A single malicious web page can cause Edge to run arbitrary code as the current user. Attackers could install malware, steal credentials, or take full control of the system. The flaw is exploitable in any environment where users browse the internet, including corporate networks, education, and home use.
Affected Versions
- Microsoft Edge 118.0.19041.1 – 118.0.19041.3
- Windows 10, 11, and Enterprise editions that have not applied the latest cumulative update.
- The issue does not affect older major releases (117.x and below).
CVSS Score
- Base Score: 9.8 (Critical)
- Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Technical Details
The vulnerability lies in the Edge rendering engine’s handling of the contenteditable attribute when combined with a malformed style block. When a crafted page loads, the engine incorrectly parses the CSS, leading to a buffer overflow in the JavaScript engine. This overflow allows an attacker to overwrite return addresses on the stack, enabling arbitrary code execution with the privileges of the user.
Exploit Flow
- Attacker hosts a malicious HTML page.
- User opens the page in Edge.
- Edge parses the
contenteditableelement. - Malformed CSS triggers a stack buffer overflow.
- Exploit code runs with user privileges.
Mitigation Steps
- Update Edge immediately. Download the latest cumulative update from the Microsoft Security Update Guide.
- If automatic updates are disabled, run
winget upgrade Microsoft.Edgeor use the Windows Update catalog. - Verify the version with
edge --version. - For environments where updates cannot be applied instantly, block the domain hosting malicious content via web filtering.
- Enable Windows Defender Exploit Guard to block anomalous memory writes.
Timeline
- 2026‑05‑12 – CVE disclosed by Microsoft Security Response Center (MSRC).
- 2026‑05‑15 – Initial patch released for Edge 118.0.19041.4.
- 2026‑05‑20 – Patch rolled out to Windows Update.
- 2026‑05‑25 – Advisory issued to all customers.
What to Do Next
- Check your Edge version now. If you are on 118.0.19041.1‑3, you are at risk.
- Apply the latest patch without delay.
- Monitor logs for unusual activity; look for unexpected process launches.
- Educate users about the danger of opening unknown web pages.
Further Resources
- Microsoft Security Advisory for CVE‑2026‑5419
- Edge Release Notes
- Windows Defender Exploit Guard Documentation
Act now. The flaw is publicly known and actively exploited in the wild. Updating Edge is the fastest and most reliable defense.
Comments
Please log in or register to join the discussion