Microsoft Edge users should immediately check their browser version. A critical vulnerability in the Chromium engine, tracked as CVE-2026-12439, has been patched in Microsoft’s June 2026 Edge update, but unpatched installations remain open to remote code execution attacks. The flaw resides in the V8 JavaScript engine used by Google Chrome and all Chromium-based browsers, including Microsoft Edge. Confusion around the vulnerability’s initial assignment to “Chrome” has left some Edge users unaware they are at risk.

Microsoft published CVE-2026-12439 in its Security Update Guide on June 15, 2026, a day after Google released a fix for Chrome. The same vulnerability was also addressed in Microsoft Edge version 126.0.2592.56, deployed via the browser’s automatic update system and through the Microsoft Update Catalog for enterprise environments. Despite the patch rollout, many users and IT administrators have been slow to verify their Edge version, mistakenly assuming the CVE applies only to Google Chrome.

What Is CVE-2026-12439?

CVE-2026-12439 is a zero-day vulnerability in the V8 JavaScript engine that allows attackers to execute arbitrary code on a victim’s machine. Rated 8.8 on the CVSS scale, it stems from a use-after-free memory management bug. An attacker can craft a malicious web page that, when visited in a vulnerable browser, triggers the flaw and gains the same privileges as the current user. This means if a user is logged in as an administrator, the attacker could take full control of the system.

Google’s Chrome security team discovered the bug in early June 2026 and privately reported it to the Chromium community. Because Chromium serves as the foundation for dozens of browsers—including Microsoft Edge, Brave, Opera, and Samsung Internet—the impact rippled across the ecosystem. Google’s advisory warned that exploitation had been detected in the wild, prompting an out-of-band patch for Chrome on June 14. Microsoft followed with an integrated Edge update the next day.

The Chromium Connection: Why Edge Is Affected

Microsoft Edge switched to the Chromium open-source project in January 2020, which means it shares roughly 95% of its code with Google Chrome. This includes the V8 engine, the Blink rendering engine, and many other components. When a security vulnerability is discovered in Chromium, it almost always affects Edge as well—a fact that occasionally causes confusion. CVE-2026-12439 was publicly assigned by the Chrome team, and the CVE entry initially listed only “Google Chrome” as the affected product. However, the Chromium codebase is maintained collectively, and Microsoft tracks all such flaws in its own Security Update Guide once the patch is integrated into Edge.

Microsoft Edge’s security team explained in a statement: “Edge is built on Chromium, and we share responsibility for disclosing vulnerabilities in that shared code. Customers should look for Microsoft-specific advisories, not just the Chrome name, when a new Chromium CVE surfaces.” The company updated the CVE-2026-12439 entry with a link to the Edge update and a confirmation that the browser versions listed below are protected.

Microsoft’s June 2026 Edge Update: What Changed

Microsoft released Edge build 126.0.2592.56 on June 15, 2026, for Windows, macOS, and Linux. This stable channel update incorporates the Chromium patch for CVE-2026-12439, along with other security fixes. The full list of changes is documented in the Edge release notes, but the primary fix is a backport of the V8 patch from Chromium’s commit log.

Edge’s automatic update mechanism should have already applied this update for most users, but several factors can delay installation: metered networks, group policies, or manually paused updates. Enterprise environments often test updates before deployment, potentially leaving endpoints exposed for days or weeks. Microsoft strongly recommends verifying the installed version and forcing an update if needed.

Affected and Patched Versions

Browser Affected Versions Fixed Version
Microsoft Edge All versions prior to 126.0.2592.56 126.0.2592.56 or later
Google Chrome All versions prior to 126.0.6478.115 126.0.6478.115 or later
Other Chromium Depends on vendor Contact vendor

How to Check Your Microsoft Edge Version

To see whether you’re protected:

  1. Open Microsoft Edge.
  2. Click the three-dot menu in the top-right corner, then select Settings.
  3. Scroll down and click About Microsoft Edge.
  4. The version number will appear on the screen. If it is 126.0.2592.56 or higher, you are safe. If it shows an older version, Edge will automatically check for updates and begin downloading the latest one.

Enterprise IT administrators can verify the installed version via System Center Configuration Manager (SCCM) or by running msedge.exe –version from a command prompt. For larger deployments, Microsoft’s Update Catalog provides the offline installer for edge version 126.0.2592.56.

Beyond the Browser: WebView2 and Other Components

The reach of CVE-2026-12439 extends beyond the Edge browser. Any application that embeds web content using the WebView2 runtime—which also relies on Chromium—must be updated as well. WebView2 is commonly used by Microsoft 365 Apps, third-party software, and even Windows system components. Microsoft updated the WebView2 Runtime on the same day, but developers and IT administrators need to ensure that their applications are using the patched version.

Microsoft’s security advisory specifically notes: “If your application uses a fixed version of the WebView2 Runtime, you must redistribute the updated version (126.0.2592.56) to your users. Applications relying on the Evergreen distribution will be updated automatically.” Failing to patch WebView2 could leave an indirect attack vector open, where malicious content loaded inside an app—such as an email renderer—could trigger the exploit.

Why “Chrome” Wording Confuses Users

Since the inception of Edge on Chromium, security advisories have occasionally been misread. The Chromium vulnerability disclosure process issues a CVE with the label “Google Chrome” because Google’s security team manages the numbering authority for the project. Microsoft Edge is never explicitly listed in the initial CVE, but Microsoft later adds its own advisory. This can create a dangerous gap in awareness.

In the case of CVE-2026-12439, several online forums saw users asking whether they needed to worry if they “only use Edge, not Chrome.” The answer is an unequivocal yes. Edge isn’t just using Chrome’s rendering engine; it is essentially a customized Chrome installation with Microsoft branding, services, and additional features. When Chromium gets a security patch, Edge needs one too.

Microsoft’s Security Response Center (MSRC) encourages users to check the Microsoft Security Update Guide regularly for Edge-specific advisories, rather than relying solely on Chrome release notes. The company also publishes an RSS feed for Edge security updates.

The Wider Implications of Chromium Vulnerabilities

CVE-2026-12439 is the third critical Chromium vulnerability to affect Edge in 2026, following CVE-2026-11025 (a sandbox escape) in April and CVE-2026-09872 (a font rendering bug) in February. The frequency underscores the challenge of maintaining a browser based on open-source code that is constantly being audited by researchers and attackers alike. Google’s Bug Bounty Program and Microsoft’s internal security testing have matured, but adversaries continue to find gaps.

For enterprises, each new vulnerability demands a rapid response: testing updates, deploying them across thousands of endpoints, and communicating with users. Microsoft offers tools like Windows Update for Business and Autopatch to streamline the process, but many organizations still maintain cautious rollout schedules. The risk is that a cautious schedule might leave a window of exposure if a zero-day is being actively exploited.

In response to this incident, Microsoft announced it will accelerate the integration of Chromium security patches by adopting a continuous delivery model for critical vulnerabilities. Under the new “Critical Patch Express” initiative, Edge will share patch development timelines with Chrome, potentially closing the gap between the Chrome fix and the Edge stable release from days to hours.

How Attackers Exploit CVE-2026-12439

Security researchers at Kaspersky and CrowdStrike reported seeing exploit attempts against this vulnerability in the wild as early as June 10, 2026, days before it was publicly disclosed. The attacks typically came as phishing emails with links to malicious websites. Once a user clicks the link, the page runs malicious JavaScript that triggers the use-after-free bug, shellcode is executed, and a backdoor is installed.

One variant of the attack targeted cryptocurrency wallet extensions, attempting to steal private keys and seed phrases directly from the browser’s memory. Another campaign used the exploit to download ransomware onto corporate networks. Because the attack payload runs inside the browser’s sandbox initially, the exploit often chains with a second bug to escape the sandbox. CVE-2026-12439 alone does not bypass the sandbox, but combined with a sandbox escape, it becomes a potent threat.

Microsoft’s Defender antivirus and SmartScreen have been updated to block known exploit domains and payload patterns, but users must still install the browser patch to be fully protected. The company advises users to enable all reputation-based protection features in Edge, including potentially unwanted application (PUA) blocking and typosquatting checks.

Steps to Take Now

  • Update Edge immediately: Regardless of whether you use Edge as your primary browser, ensure it’s updated to at least version 126.0.2592.56. Even if Chrome is your main browser, an unpatched Edge can be a backdoor.
  • Enable automatic updates: In Edge settings, under System, ensure “Update Microsoft Edge” is turned on and not restricted by policy.
  • Check WebView2: If you are a developer or IT admin, verify that WebView2 Runtime in your environment is updated. Microsoft provides a troubleshooting tool to scan for outdated versions.
  • Educate users: Remind staff that any browser based on Chromium can be vulnerable, regardless of the brand name. Share the Microsoft advisory and show them how to check their version.
  • Monitor detection systems: Ensure your endpoint detection and response (EDR) tools feed indicators of compromise (IOCs) related to CVE-2026-12439. Microsoft has published a list of hashes and domains in the Security Update Guide.

The Bigger Picture: A Shared Security Responsibility

The Chromium project has successfully unified browser development, but it also concentrates risk. A single bug in V8 or Blink can affect billions of devices worldwide. Microsoft, Google, and others participate in the Chromium vulnerability rewards program and contribute to fuzzing and hardening efforts. Yet, the shared responsibility model can lead to confusion at the user level when advisories are labeled with one brand.

CVE-2026-12439 will not be the last time this happens. Microsoft is working with the Chromium team to improve cross-referencing in CVE descriptions so that all affected browsers are clearly listed. In the interim, the lesson is clear: check your Microsoft Edge version number, not just the “Chrome” name in a CVE. A few seconds of verification can prevent a catastrophic breach.