PatchSiren cyber security CVE debrief
CVE-2026-35429 Microsoft CVE debrief
A user interface misrepresentation vulnerability in Microsoft Edge for Android allows network-based attackers to perform spoofing attacks. The vulnerability, classified as CWE-451 (User Interface Misrepresentation of Critical Information), enables an unauthorized attacker to deceive users by presenting misleading interface elements over a network connection. Microsoft has addressed this issue in Edge for Android version 148.0.3967.55. The CVSS 3.1 score of 4.3 (Medium) reflects network attack vector with low attack complexity, requiring no privileges but user interaction, with low confidentiality impact and no integrity or availability impact. The vulnerability was published on May 12, 2026, with the NVD entry last modified on May 18, 2026.
- Vendor
- Microsoft
- Product
- Microsoft Edge for Android
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-18
Who should care
Organizations with mobile device management policies covering Android devices, security teams managing browser security configurations, and end users of Microsoft Edge on Android who may encounter spoofed interface elements on untrusted networks.
Technical summary
The vulnerability stems from improper handling of user interface rendering in Microsoft Edge for Android, allowing attackers to misrepresent critical information to users. This UI misrepresentation (CWE-451) can be exploited over a network without authentication, though it requires user interaction. The attack complexity is low, and successful exploitation results in limited information disclosure. The fix in version 148.0.3967.55 addresses the underlying UI rendering issue.
Defensive priority
medium
Recommended defensive actions
- Update Microsoft Edge for Android to version 148.0.3967.55 or later to remediate this spoofing vulnerability.
- Monitor Microsoft Security Response Center advisories for additional guidance on Edge for Android security updates.
- Educate users about verifying interface elements in mobile browsers, particularly when accessing sensitive sites over networks.
Evidence notes
CPE criteria confirms affected product as Microsoft Edge for Android, with vulnerable versions prior to 148.0.3967.55. CVSS vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. Weakness enumeration identifies CWE-451 as the primary weakness type.
Official resources
-
CVE-2026-35429 CVE record
CVE.org
-
CVE-2026-35429 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Microsoft disclosed this vulnerability through their Security Response Center. The issue was analyzed and documented in the National Vulnerability Database with vendor advisory status.