Microsoft Edge: Three CVEs Disclosed Together — RCE, Spoofing, and Security Feature Bypass
Microsoft released fixes for three Edge vulnerabilities on May 18, including a high-severity remote code execution flaw (CVE-2026-45495) and two medium-severity issues targeting spoofing and security feature bypass.
Key findings
- CVE-2026-45495 is a High-severity (CVSS 8.8) Remote Code Execution bug in Microsoft Edge
- CVE-2026-45494 is a Medium-severity Spoofing Vulnerability (CVSS 5.4)
- CVE-2026-45492 is a Medium-severity security feature bypass via improper input validation (CVSS 5.4)
- All three CVEs were disclosed together on May 18, 2026, with no reported in-the-wild exploitation
- Fixes were shipped via Edge's standard automatic update channel
Microsoft patched three vulnerabilities in its Edge browser (Chromium-based) on May 18, 2026, in a coordinated disclosure that includes one high-severity remote code execution bug and two medium-severity flaws affecting spoofing and security feature enforcement. All three CVEs were published simultaneously, signaling a single patch batch shipped to Edge users via the browser's automatic update channel.
The most severe of the batch is CVE-2026-45495, a Remote Code Execution vulnerability carrying a CVSSv3 score of 8.8 (High). While Microsoft's advisory does not detail the specific rendering or scripting component involved, the RCE classification means an attacker who successfully exploits the flaw could execute arbitrary code in the context of the browser process. In Chromium-based browsers, RCE bugs typically arise from memory corruption in the V8 JavaScript engine, DOM handling, or media pipeline components. Users who browse with untrusted sites or open attacker-crafted content are the primary risk surface.
Two medium-severity CVEs round out the batch. CVE-2026-45494 (CVSSv3 5.4) is a Spoofing Vulnerability. Spoofing bugs in Edge allow an attacker to present misleading content — such as a fraudulent URL bar, a fake TLS padlock, or a deceptive origin indicator — tricking users into trusting a malicious site as legitimate. These are frequently used as components in phishing chains.
CVE-2026-45492 (CVSSv3 5.4) is described as an improper input validation flaw that allows an unauthorized attacker to bypass a security feature over a network. Security feature bypass vulnerabilities are especially concerning in a browser context because they can undermine defenses such as site isolation, sandboxing, Content Security Policy (CSP) enforcement, or same-origin policy. The advisory notes the attack vector is network-based and requires no authentication, though it does not specify which security feature is circumvented.
Microsoft has not reported active exploitation in the wild for any of the three CVEs as of the disclosure date. No threat-actor campaigns or public proof-of-concept exploits have been tied to this batch.
The fixes were delivered through Microsoft Edge's standard update mechanism. Users running Edge on Windows, macOS, and Linux should ensure their browser is updated to the latest stable channel version. Enterprise administrators managing Edge via group policy or update management tools should verify that automatic updates are enabled and that the May 18 patch has been applied across managed endpoints.
This batch, while small, illustrates the breadth of attack surface Microsoft must defend in a modern Chromium-based browser: memory safety (RCE), UI trust signals (spoofing), and input validation (security feature bypass). Edge users should treat the high-severity RCE as the priority fix, but the two medium-severity bugs — particularly the security feature bypass — warrant attention from security teams who rely on Edge's built-in protections as part of their defense-in-depth posture.