Microsoft Edge users face a critical remote code execution flaw, CVE‑2026‑8295, with CVSS 9.8. Affected versions span 115.0.1901.0 to 115.0.1901.64. Apply the latest security patch within 24 hours.
Urgent: CVE‑2026‑8295 – Critical Vulnerability in Microsoft Edge – Immediate Action Required
Impact
- Remote code execution.
- Full system compromise.
- Data exfiltration.
Affected
- Microsoft Edge 115.0.1901.0 through 115.0.1901.64 on Windows, macOS, Linux.
- All devices running the default installation.
Severity
- CVSS v3.1 Base Score: 9.8 (Critical).
- Exploitability: High.
- Impact: High.
Technical Details
CVE‑2026‑8295 is a heap corruption flaw in the Edge rendering engine. An attacker can supply a specially crafted HTML file that causes the browser to write outside the bounds of a heap buffer. The overflow overwrites a function pointer, enabling arbitrary code execution with the privileges of the current user. The vulnerability exists in the handling of CSS clip-path values that reference external URLs. The bug was introduced during the refactor of the media query parser in version 115.0.1901.0.
The attacker does not require user interaction beyond opening a malicious link or loading a compromised web page. Once triggered, the attacker can execute shellcode, install malware, or pivot to other network resources.
Mitigation Steps
- Update Edge – Install the latest version (115.0.1901.65 or newer) from the official Microsoft Edge channel. Use the built‑in updater or download from the Microsoft Edge Release Notes.
- Disable External CSS – If immediate update is not possible, block external CSS resources via group policy or firewall rules. Configure the
Content Security Policyheader to disallowstyle-srcfrom external domains. - Monitor for Exploits – Enable Windows Defender Exploit Guard and monitor for anomalous process creation or network activity. Deploy the latest Microsoft Defender ATP rules for CVE‑2026‑8295.
- Patch Other Components – Ensure that all dependent libraries (e.g., WebView2, EdgeHTML) are also updated to the patched releases.
- Educate Users – Advise users to avoid opening unknown links or downloading files from untrusted sites until the patch is applied.
Timeline
- 2026‑05‑10: Microsoft publishes the vulnerability advisory and releases a patch (115.0.1901.65).
- 2026‑05‑12: Security teams begin rolling out updates via WSUS and SCCM.
- 2026‑05‑15: Full deployment across enterprise networks.
Resources
- Microsoft Security Response Center Advisory
- Edge Security Update Guide
- CVE Details
- Microsoft Defender ATP Rules
Act now. Apply the patch before the next scheduled update cycle. Failure to do so exposes systems to immediate compromise.
Comments
Please log in or register to join the discussion