Microsoft Edge Vulnerability Allows RCE via Log File Handling Flaw
A directory traversal vulnerability in Microsoft Edge's feedback log file handling, tracked as CVE-2026-45495, enables remote code execution with user interaction.
Zero Day Initiative (ZDI) has disclosed a critical vulnerability affecting Microsoft Edge, identified as ZDI-26-331 and assigned CVE-2026-45495. This flaw resides within the browser's mechanism for handling feedback log files, allowing remote attackers to execute arbitrary code on a vulnerable system.
The vulnerability is classified as a directory traversal issue. The root cause stems from insufficient validation of user-supplied paths before they are utilized in file operations. This oversight permits an attacker to manipulate file paths, potentially accessing or overwriting files outside of the intended directory.
Successful exploitation of this vulnerability requires a degree of user interaction. Attackers must trick a target user into visiting a specially crafted malicious webpage or opening a malicious file. Once this interaction occurs, the vulnerability can be leveraged, often in conjunction with other exploits, to achieve code execution within the context of the current user's privileges.
The potential impact of this vulnerability is significant, as it can lead to remote code execution. This means an attacker could potentially take control of a user's machine, install malware, steal sensitive data, or disrupt system operations. The CVSS score of 7.5 indicates a high severity, reflecting the ease of exploitation and the potential for severe consequences.
Microsoft has acknowledged the vulnerability and has released an update to address it. Users are strongly advised to apply the latest security patches for Microsoft Edge to mitigate the risk of exploitation. Further details on the patch and its deployment can be found on Microsoft's Security Response Center (MSRC) update guide.
The vulnerability was discovered by Orange Tsai of the DEVCORE Research Team. ZDI coordinated the public release of the advisory on June 4th, 2026, following the standard disclosure timeline after reporting the issue to Microsoft on May 20th, 2026.
This discovery highlights the ongoing challenges in securing complex software like web browsers. Even with extensive security testing, subtle flaws in file handling and path validation can persist, providing avenues for attackers. The Pwn2Own competition, where this vulnerability was likely demonstrated, continues to be a crucial platform for uncovering such critical security weaknesses.
As with many browser vulnerabilities, the combination of a directory traversal flaw with the potential for remote code execution underscores the importance of keeping web browsers updated. Users should remain vigilant against phishing attempts and suspicious files, as these often serve as the initial vector for exploiting such browser-based vulnerabilities.