CVE-2026-45495 Microsoft CVE debrief

Who should care

Organizations using Microsoft Edge (Chromium-based) in enterprise environments, security teams responsible for browser security posture, and end users relying on Edge for web browsing should prioritize this update.

Technical summary

CVE-2026-45495 is a remote code execution vulnerability in Microsoft Edge (Chromium-based). The vulnerability can be triggered with user interaction and allows an unauthenticated attacker to execute arbitrary code with the privileges of the browser process. The CVSS 3.1 score of 8.8 reflects network accessibility, low complexity, and high impact to confidentiality, integrity, and availability. Root cause weaknesses include improper input validation (CWE-20), code injection (CWE-94), and memory safety issues (CWE-119). The fix version 148.0.3967.70 addresses this vulnerability.

Defensive priority

HIGH

Recommended defensive actions

• Update Microsoft Edge (Chromium-based) to version 148.0.3967.70 or later
• Verify automatic update settings are enabled for Edge
• Review browser usage policies to ensure managed deployments receive security updates
• Monitor Microsoft Security Response Center advisories for related security updates

Evidence notes

CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. CWE classifications include CWE-20 (Improper Input Validation), CWE-94 (Improper Control of Generation of Code), and CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). Affected versions: Edge Chromium before 148.0.3967.70.

Official resources