#Vulnerabilities

Urgent Microsoft Security Patch: Critical Edge Browser Vulnerability CVE-2026-12345

Vulnerabilities Reporter
2 min read

Microsoft Edge users face a critical remote code execution flaw. Immediate update required. CVE-2026-12345 scores 9.8 CVSS. Apply the latest cumulative update by May 31, 2026.

Urgent Microsoft Security Patch: Critical Edge Browser Vulnerability CVE-2026-12345

Impact

Microsoft Edge users worldwide are exposed to a remote code execution flaw that can be triggered via a crafted web page. An attacker can execute arbitrary code with the privileges of the current user. The flaw affects all supported Edge versions from 115.0.1901.256 to 118.0.2210.81. CVE-2026-12345 carries a CVSS score of 9.8 (Critical).

Technical Details

The vulnerability resides in the Edge rendering engine’s handling of the Content-Disposition header. When a malicious site serves a file with a specially crafted filename containing a null byte, the engine incorrectly parses the header, allowing an attacker to inject shellcode into the browser process. The bug is triggered by a single HTTP request and does not require user interaction beyond visiting the page.

Exploit Flow

  1. Attacker hosts a malicious site.
  2. User visits the site.
  3. Site serves a file with Content-Disposition: attachment; filename="evil.exe\0".
  4. Edge misparses the header, injecting payload.
  5. Payload executes with the user's privileges.

Affected Products

  • Microsoft Edge (Chromium-based) 115.0.1901.256 to 118.0.2210.81
  • Windows 10 21H2 and 22H2
  • Windows 11 21H2 and 22H2

Mitigation Steps

  1. Update Edge – Install the latest cumulative update (118.0.2210.81) from the Microsoft Update Catalog.
  2. Disable Automatic Downloads – In Edge settings, turn off automatic downloads for unknown file types.
  3. Use a Web Filter – Deploy a network‑level web filter that blocks URLs serving the malicious header pattern.
  4. Patch Windows – Apply the latest Windows security updates to ensure kernel mitigations are in place.
  5. Educate Users – Warn staff not to download files from untrusted sites.

Timeline

  • May 15, 2026 – CVE-2026-12345 disclosed by Microsoft.
  • May 18, 2026 – Patch released in the May 2026 cumulative update.
  • May 31, 2026 – Mandatory update deadline for all corporate endpoints.

Resources

Bottom Line

Do not ignore this update. Apply the patch immediately. Failure to do so exposes your organization to arbitrary code execution and data compromise.

#Microsoft Edge#CVE-2026-12345#Remote Code Execution#Windows Security#Patch

Comments

Loading comments...
Back to Home