Microsoft has released security updates to fix a critical vulnerability in its Edge browser that could allow attackers to execute malicious code on a user’s system.
The vulnerability, tracked as CVE-2026-45495, has a CVSS severity score of 7.5 and was discovered by security researcher Orange Tsai from the DEVCORE Research Team. According to Microsoft’s advisory, the flaw could be exploited if a user is tricked into opening a specially crafted file or visiting a malicious webpage.
The security flaw is related to how Microsoft Edge handles feedback log files. Researchers found that Edge did not properly validate certain file paths before performing file operations. This weakness could allow an attacker to manipulate file handling behavior and potentially execute code on the victim’s machine.
The attack does require user interaction. This means attackers cannot automatically compromise systems over the internet. Instead, they would need to convince users to click a malicious link, open a crafted file, or download content from an untrusted source.
Although the vulnerability requires user interaction, it should not be underestimated. Modern cyberattacks often rely on social engineering rather than direct exploitation. Attackers frequently use phishing emails, fake software downloads, malicious advertisements, and compromised websites to trick users into performing actions that trigger vulnerabilities.
If successfully exploited, the attacker could execute code with the same permissions as the logged-in user.
Depending on the user’s privileges, this could allow attackers to:
- Steal sensitive data
- Access browser-stored information
- Install malware
- Establish persistence on the device
- Move laterally across networks in enterprise environments
The actual impact would depend on the security controls and user privileges available on the affected system.
Alongside CVE-2026-45495, Microsoft has also fixed two other vulnerabilities reported by the same research team. The first, CVE-2026-45494, is a medium-severity flaw that could allow cross-origin script injection through improper navigation handling. The second, CVE-2026-45492, affects cross-device managed sign-in and could expose restricted functionality if combined with other vulnerabilities.
Individually, these vulnerabilities are less severe. However, attackers often chain multiple weaknesses together to increase the chances of a successful attack.
The most concerning aspect of CVE-2026-45495 is its potential to be combined with other vulnerabilities. The flaw itself does not provide administrator-level access, but browser vulnerabilities are frequently used as an initial entry point. Once code execution is achieved, attackers can attempt privilege escalation, credential theft, or deploy additional malware.
The fact that the vulnerability involves file path validation is also notable. Path manipulation issues have historically been a common source of security problems because they can allow applications to access files or locations that developers never intended.
At the moment, Microsoft has not reported active exploitation of this vulnerability in the wild. However, now that details of the flaw are public, threat actors may begin analyzing the patch to develop working exploits.
This makes timely patching especially important.
Microsoft recommends updating Edge to the latest version immediately. Users should also be cautious when opening email attachments, downloading files from unknown sources, or clicking suspicious links. For businesses, security teams should ensure that Edge updates are deployed across all managed devices and monitor systems for unusual browser-related activity.
Related Posts
