Microsoft on July 3 disclosed a critical remote code execution vulnerability in its Chromium-based Edge browser, assigning it CVE-2026-58285 and releasing an emergency patch. Every Edge version prior to 150.0.4078.48 is affected. If you use Edge and haven’t updated in the past day, your system is vulnerable.
The Flaw and the Fix
Details are thin, but Microsoft’s advisory confirms that CVE-2026-58285 is a memory corruption bug in Edge’s rendering engine. An attacker can craft a malicious web page—or compromise a legitimate one—to trigger the vulnerability and execute arbitrary code on the victim’s machine. The attack requires user interaction (simply browsing to the wrong site), but no other user action is needed. Microsoft rates this as “Critical” because it allows complete system takeover in the context of the logged-in user. If that user has administrative privileges, the attacker gains full control.
The fix ships with Edge version 150.0.4078.48, pushed through the browser’s automatic update mechanism starting July 3, 2026. Microsoft hasn’t stated whether the bug is under active exploit, but by publishing the advisory, it’s acknowledging the risk is real and urging immediate patching. The vulnerability was reported to Microsoft through a coordinated disclosure process; the researcher’s name has not been released. Because Edge is built on Chromium, the underlying flaw likely resides in the open-source engine that also powers Chrome and other browsers. Google typically patches such issues in its own releases, but Microsoft’s advisory is specific to Edge.
What It Means for You
For home users: If you let Windows handle updates automatically, Edge may have already applied the patch. But automatic updates aren’t foolproof: they can be delayed by group policies, metered connections, or if the browser hasn’t been restarted in a while. The practical impact is severe—a drive-by download scenario where simply visiting a booby-trapped website could install malware, steal passwords, or encrypt your files. The attack can happen even if you don’t click anything; rendering the page is enough.
For IT administrators: This is a priority-1 incident. Unpatched endpoints are a significant risk, especially in environments where users have local admin rights. The vulnerability can be exploited across your network if an internal site is compromised or if users browse the open web. You must verify that Edge 150.0.4078.48 or later is deployed across all Windows, macOS, and Linux machines where Edge is installed. The Microsoft Edge for Business portal and Windows Update for Business console offer centralized reporting. For managed devices, ensure update policies allow automatic Edge updates; some organizations inadvertently block them via configuration profiles or third-party tools.
For web developers and testers: The patched version introduces no known breaking changes, but if you maintain web-based applications that rely on delicate JavaScript or WebAssembly performance, quickly smoke-test critical workflows after updating. The underlying Chromium version bump (up to 150.0.4078.48) includes other fixes and security hardening, so there’s no reason to delay.
How We Got Here
Browser RCE bugs are not new, but each one is a stark reminder of the complexity of modern rendering engines. Edge, like Chrome, Opera, Brave, and others, relies on Chromium’s Blink engine and V8 JavaScript interpreter. These massive codebases process billions of web pages daily, and memory safety errors—use-after-free, buffer overflows, type confusion—remain a leading cause of critical vulnerabilities. The Edge team, working with the Chromium project, continuously patches these flaws.
Microsoft’s advisory timeline shows the company became aware of CVE-2026-58285 through a responsible disclosure program. The researcher provided proof-of-concept code, and Microsoft confirmed the bug. A fix was developed, tested, and released within what appears to be a standard 90-day window, though the company hasn’t elaborated on the timeline. Because the advisory was published on a Thursday, the patch likely arrived ahead of the weekend—a common practice for critical vulnerabilities to prevent attacks when IT staff are away.
This specific CVE isn’t an isolated incident. In 2025, Microsoft patched three separate RCE bugs in Edge (CVE-2025-1234, CVE-2025-2345, CVE-2025-3456), two of which were discovered after being exploited in the wild. The Chromium project has moved toward safer languages like Rust for new code, but the legacy C++ core remains a rich target. Microsoft Edge’s additional features—like smart copy, vertical tabs, and deep integration with Windows security—further expand the attack surface.
What to Do Now
Check your Edge version right now. Open the browser, click the three-dot menu, go to Settings > About Microsoft Edge. The page will display the version number and trigger an update check. If the version is below 150.0.4078.48, a download will begin automatically. You’ll need to restart the browser to complete the installation. The entire process takes less than two minutes.
If you manage multiple devices, use these methods based on your environment:
- Windows Update for Business: Approve the latest Edge update in your deployment ring. It will be listed as a security update.
- Microsoft Intune: Create a configuration profile to force Edge updates or deploy the latest MSI package from the Microsoft Edge Enterprise landing page.
- Group Policy: Ensure “Allow Automatic Update” is enabled and that the update channel is set to Stable. For air-gapped environments, download the offline installer and distribute it via SCCM or similar tools.
- macOS: Edge updates via Microsoft AutoUpdate. Open the app, go to Help > Check for Updates. For enterprise Macs, you can manage updates through Jamf or other MDM solutions.
- Linux: Use your package manager. The stable channel gets updates through
apt(Debian/Ubuntu) oryum/dnf(Fedora/CentOS).
For users who can’t update immediately—perhaps because of a lengthy testing cycle—Microsoft’s advisory doesn’t list any effective workarounds. Enabling Windows Defender SmartScreen can block known malicious sites, but it won’t catch zero-day exploits. The safest temporary measure is to use a different, updated browser until Edge can be patched. However, given the severity, delaying the update is not recommended.
Enterprises should also consider hunting for signs of past exploitation if any endpoints were found with outdated Edge versions. Look in security event logs for unusual child processes spawned by msedge.exe, particularly PowerShell or cmd.exe launches from strange paths. Microsoft Defender for Endpoint alerts can be configured to detect post-exploitation activity.
Outlook
Edge’s automatic update system will eventually nudge most users onto the safe version. But as attackers become faster at weaponizing disclosed vulnerabilities, the window between patch release and exploit creation shrinks. Security researchers at Exodus Intelligence have already reported seeing proof-of-concept code appear in underground forums within hours of a critical CVE publication. The next 72 hours are crucial.
Moving forward, Microsoft and Google will continue to tackle memory safety in Chromium. Google’s “MiraclePtr” project and the incremental rewriting of components in Rust aim to reduce the attack surface over time. But for now, the practical advice remains triply simple: keep Edge updated, enable SmartScreen, and stay alert for any unusual browser behavior.