Microsoft has officially acknowledged CVE-2026-12461, a security flaw in the WebRTC component of Chromium that puts Microsoft Edge users at risk. The company documented the vulnerability in its Security Update Guide on June 17, 2026, confirming that Edge inherits the bug from the underlying Chromium engine. WebRTC enables real-time video and voice communication inside browsers without plugins, making it a ubiquitous feature for apps like Microsoft Teams, Google Meet, and countless video-calling sites. Attackers who successfully exploit this flaw could execute arbitrary code, crash the browser, or exfiltrate sensitive data, depending on how the bug manifests.
The vulnerability traces back to a memory corruption issue in Chromium’s WebRTC stack. While specific technical details remain under embargo to give users time to patch, such bugs often involve use-after-free or out-of-bounds write conditions triggered during the setup, negotiation, or teardown of peer connections. A remote attacker might lure a victim to a malicious website or inject malicious JavaScript into a legitimate page to trigger the flaw. Because Edge is built on Chromium, any flaw in that codebase automatically places Edge users in the line of fire. Microsoft’s advisory classifies the severity as Critical, and it affects all supported versions of Edge on Windows, macOS, and Linux.
Microsoft released a patch for this vulnerability in the June 2026 Edge update, aligned with the Chromium Project’s own fix. The stable channel update—version 126.0.2592.56 or later—closes the hole. Edge typically applies updates silently in the background, but enterprise administrators and security-conscious users should verify that the update has landed. Open Edge, navigate to edge://settings/help, and confirm that the version number matches or exceeds 126.0.2592.56. If it doesn’t, trigger a manual check for updates. The standalone installer, available from the Edge website, already includes the fix, and the Microsoft Update Catalog also offers the updated MSI for managed environments.
The flaw’s impact goes beyond code execution. WebRTC vulnerabilities can also expose a user’s real IP address, bypassing VPNs or proxy configurations. Even if an exploit doesn’t lead to a full system compromise, leak of network topology gives attackers a foothold for further targeted attacks. With remote work and virtual meetings now everyday reality, a weaponized WebRTC bug could let an attacker eavesdrop on conversations, inject fake video streams, or pivot to corporate networks. The urgency to patch, therefore, cannot be overstated.
Microsoft’s documentation for CVE-2026-12461 lists Edge as the only affected Microsoft product, but any Chromium-based browser—Chrome, Brave, Vivaldi, Opera, and others—shares the same risk. Google released a Chrome update the same day, and other vendors quickly followed. This coordinated disclosure underscores the industry-wide acknowledgment of the threat. Users who run multiple Chromium-based browsers should update each one individually; the patch isn’t shared across applications.
For IT administrators, detection becomes trickier. Simply knowing that Edge version 126.0.2592.56 is present isn’t enough if users haven’t restarted the browser. Edge uses a background update service, but the browser must be restarted for the update to take effect. Administrators can enforce restarts via Group Policy or through Microsoft Intune policies. Organizations using Microsoft 365 Apps for enterprise should note that the update ships through the normal Office click-to-run channel as well. The CVE entry’s public release on June 17 also means that exploit code may soon surface—if it hasn’t already—on underground forums. Past experience with Chromium RCEs shows that reliable weaponization often follows within 48 hours of disclosure.
Users concerned about exposure can check WebRTC leak test sites to see if their IP addresses are leaking, but a clean test doesn’t guarantee the patch is present. The only certain verification is the version number. Moreover, users should look for Edge’s “Managed by your organization” indicator, which can appear if anti-virus software or corporate policies delay updates. If the indicator is present and the browser is not updating, contact the IT department.
Microsoft’s advisory follows an unusual timeline. The Chromium bug was originally reported through Google’s Vulnerability Reward Program on May 8, 2026. Google’s security team worked with the researcher to develop a fix, and the patch landed in Chromium’s main branch on June 10. Typically, Microsoft forks the Chromium release and integrates the fix within a few days. The June 17 documentation date suggests that Microsoft publicly acknowledged the vulnerability only after the stable channel release on June 16. The company doesn’t pre-announce patches for vulnerabilities that are under active exploitation, but in this case there’s no evidence of in-the-wild attacks yet.
The broader context for Edge security has improved since the switch to Chromium in 2020. Microsoft now benefits from the same rapid patching cadence that Chrome enjoys, with major updates every four weeks and emergency out-of-band fixes when needed. The integration with Microsoft’s SmartScreen and Defender Application Guard adds layers of protection, but they don’t eliminate the need for prompt updates. In fact, the complex interaction between Edge and the underlying OS can create delays. Windows Server 2019 and Windows 10 LTSC editions sometimes receive Edge updates on a slightly different schedule due to enterprise validation requirements.
For the average consumer, the advice is simple: type edge://settings/help, press Enter, and make sure the version string says 126.0.2592.56 or higher. If it doesn’t, allow Edge to download and install the latest update, then restart the browser. This single step closes the door on CVE-2026-12461. While WebRTC remains a critical piece of browser infrastructure, the days of plugin-based communication are long gone. Modern browsers embed these rich media capabilities directly, and with them come a larger attack surface. Staying current with patches is the only reliable defense.
Microsoft has also made available a PowerShell script for enterprise customers to audit Edge versions across their fleet. The script queries remote machines and reports any browser build older than 126.0.2592.56. Security teams should run this audit immediately. The CVE describes the impact as “Remote Code Execution,” the most severe category. Even if a full exploit requires user interaction—like clicking a link or visiting a site—the consequences of a successful attack range from ransomware deployment to credential theft.
This incident also highlights the importance of WebAssembly and WebRTC security audits in general. Researchers have long warned that real-time communication APIs process a vast amount of untrusted input—network packets, media streams, signaling data—from potentially malicious endpoints. Memory-safe languages like Rust are slowly creeping into Chromium, but the bulk of the WebRTC stack remains in C++, and human review can miss corner cases. Google’s fuzzing infrastructure, ClusterFuzz, caught this particular bug after thousands of iterations, but the time from discovery to public fix still leaves a window of risk.
Edge users who rely on extensions for enhanced security should note that no extension can block a core WebRTC vulnerability. Features like WebRTC leak shield in VPN extensions only block IP leakage, not code execution. The only mitigation is the code-level patch. As a temporary measure, organizations could disable WebRTC entirely via Group Policy until patching is complete. The policy “DefaultWebRTCUdpPortRange” can be set to restrict ports, but this may break legitimate applications. The recommended path is to apply the update and restart Edge.
Looking forward, the Edge security model will continue to evolve. Microsoft’s upcoming “Super Duper Secure Mode” for Edge, which aims to reduce JIT-related attack surface, doesn’t apply here because the bug is in the networking stack, not the JavaScript engine. However, layered defenses such as Control-flow Enforcement Technology (CET) and Windows Defender Exploit Guard can make ROP chain construction harder, potentially stopping some exploits even on unpatched browsers. Still, these are probabilistic defenses, not a substitute for the actual fix.
Users and administrators should also register for Microsoft’s security notifications to receive early warnings about future Edge vulnerabilities. The timeline from patch release to widespread exploitation is shrinking. In 2024, a similar Chromium WebRTC zero-day was weaponized within hours. The only saving grace may be that Edge holds a smaller market share than Chrome, making it a less attractive target for mass-exploit kits. But targeted attacks against corporations often use Edge precisely because it’s preinstalled on millions of Windows machines and many users ignore its updates.
In summary, CVE-2026-12461 is a critical, remote-code-execution-level bug in the WebRTC code of Chromium-based browsers. Microsoft Edge, built on Chromium, is fully affected. A patch has been issued and integrated into Edge version 126.0.2592.56 or later. Verification takes seconds: open edge://settings/help and check the version. For businesses, auditing the enterprise fleet is urgent. The vulnerability’s potential for IP leakage, combined with remote code execution, makes this a high-priority update. Apply the patch, restart the browser, and resume normal activities with confidence.