Microsoft has published an advisory detailing a high-severity remote code execution (RCE) flaw in its Chromium-based Edge browser, assigning it CVE-2026-58292. The company urges all Edge users to install update 150.0.4078.48, released on July 3, 2026, to close the vulnerability. While technical specifics remain sparse, the “high severity” label signals that swift patching is critical—attackers could exploit this bug to run arbitrary code on your system simply by luring you to a malicious website.
What We Know About CVE-2026-58292
The advisory, published by Microsoft on July 3, fixes a vulnerability that could allow remote code execution inside the browser’s sandbox under the right conditions. As with most Edge RCEs, exploitation likely requires a user to visit a specially crafted page, but once triggered, the flaw could let an attacker install programs, view or change data, or create new accounts with the existing user’s rights. The CVSS score—a standard severity metric—has not been publicly disclosed, but Microsoft’s “high” rating puts it above 7.0 on the 10-point scale.
Microsoft has not reported any active attacks exploiting this vulnerability in the wild, and the advisory lacks deeper technical details, which is typical when a patch first lands and the company wants to give users time to update before revealing exploit specifics. What we do know is that Edge Stable build 150.0.4078.48 contains the fix; earlier versions are susceptible. Because Microsoft Edge is built on Google’s open-source Chromium engine, this CVE almost certainly mirrors an upstream Chromium security fix that Google shipped just days earlier, as is the norm with cross-browser vulnerabilities.
What This Means for You
The risk varies depending on how you use Microsoft Edge, but the recommendation is universal: update immediately. Here’s how it breaks down by audience.
Home users: If you use Edge as your everyday browser, the built-in update mechanism has probably already kicked in. However, you may need to restart the browser to complete the process. To confirm, type edge://settings/help in the address bar. If you see version 150.0.4078.48 or higher, you’re safe. If not, let the updater run and hit “Restart” when prompted. No additional action is needed—Edge handles updates silently without requiring Windows Update.
IT administrators: Enterprises with managed endpoints need to roll out this build to all machines as soon as possible. Microsoft Edge updates are typically deployed through standard software distribution tools like Microsoft Intune, Configuration Manager, or group policies. If you’ve set Edge to update automatically via policies, verify that devices have picked up the new version. For organizations that stage updates through testing rings, consider accelerating deployment given the severity. Also, note that Edge 150 is the latest stable channel release, so skipping it means leaving endpoints open to a known RCE.
Developers and power users: If you embed Edge WebView2 in your applications, you must update the WebView2 Runtime to the version that corresponds to this fix, which is typically synchronized with the browser channel. Check the WebView2 release notes for version 150.0.4078.48 or later to ensure your apps aren’t leaking this vulnerability into your customers’ environments.
The Path to This Update
Microsoft Edge’s version number jumped to 150 relatively recently, part of a rapid cadence that mirrors Chrome’s own four-week major release schedule. The July 3 advisory didn’t fall on a traditional Patch Tuesday, which underscores that Edge security fixes follow a different, often faster timetable than the operating system patches many administrators expect on the second Tuesday of each month.
Behind the scenes, because Edge shares the Chromium codebase, a single vulnerability can affect multiple browsers. When Google fixes a bug in Chromium, Microsoft often pulls that patch into Edge within a day or two, then publishes its own CVE. However, not every Chromium fix gets a separate Microsoft advisory; the company issues a CVE only when the vulnerability is judged serious enough, or when it requires coordinated disclosure. CVE-2026-58292’s existence suggests a flaw that, while patched upstream, warranted its own spotlight for Edge users.
Historically, RCE vulnerabilities in browsers have been highly prized by attackers because they can bypass the browser’s sandbox and execute code directly on the operating system. Modern browsers isolate processes to limit damage, but sandbox escapes—or clever combinations of vulnerabilities—can turn a single click into a system compromise. That’s why any high-severity RCE demands immediate attention.
How to Secure Your Browser Now
Updating Edge is straightforward, but delays happen. Here’s exactly what to do.
- Check your current version: Open Edge, click the three-dot menu (or press Alt+F), go to “Help and feedback” > “About Microsoft Edge.” The browser will immediately check for updates and display the current version.
- Let the updater run: If you’re not on 150.0.4078.48 or later, the updater will download the latest build automatically. You’ll see a progress bar.
- Restart Edge: Once downloaded, the “Restart” button appears. Click it. Edge will close and reopen with all your tabs restored (if you’ve configured it to do so).
- Verify: After restart, revisit the “About” page to confirm the version string.
For multiple machines, IT teams can use these steps:
- Via Intune: Push the latest Edge ADMX templates and ensure the update policy is set to “Always allow updates (recommended).” Monitor the update compliance dashboard.
- Via Configuration Manager: Deploy the Edge installer package for the stable channel; the latest version is available from the Microsoft Edge for Business download portal.
- For isolated environments: If you manage air-gapped systems, download the offline installer (MSI) for version 150.0.4078.48 from the Microsoft Edge for Business page and distribute it manually.
Additionally, consider enabling operating system-level mitigations like Windows Defender Application Guard (WDAG) for untrusted sites, which opens suspicious pages in a virtualized container. But these are layers, not replacements—the patch is the definitive fix.
What’s Next
Expect Microsoft to eventually update the advisory with more technical details and possibly a CVSS vector, which will give defenders a clearer picture of the attack surface. If proof-of-concept code emerges—as often happens with RCEs in high-profile browsers—the urgency to patch will spike. In the meantime, treat this update as non-negotiable. Even without known active exploits, a high-severity RCE in a browser is a race condition waiting to be lost.