Microsoft released an urgent security update for its Edge browser on Android on July 3, 2026, fixing an important vulnerability that could allow attackers to access sensitive information stored on a victim’s device. The flaw, tracked as CVE-2026-58522, affects all versions of Edge for Android prior to 150.0.4078.48 and is classified as an information disclosure bug.
Microsoft disclosed the vulnerability in a security advisory the same day, urging users to update immediately. The company rated it as “Important,” the second-highest severity level in its classification system, indicating a significant but not critical risk. No evidence suggests the flaw has been exploited in the wild yet, but the potential impact makes patching a priority.
What Actually Changed
The core issue lies in how Microsoft Edge for Android handles locally stored data. According to the advisory, an attacker who successfully exploited this vulnerability could access information that the browser should keep private. Microsoft has not released technical details, a standard practice to prevent attackers from reverse-engineering the flaw before users have time to patch.
CVE-2026-58522 is specifically a local information disclosure vulnerability. That means an attacker needs some level of access to your device—either through a malicious app installed on the same phone, physical possession of the unlocked device, or by chaining it with another exploit that grants code execution. Remote exploitation without local access is not possible from what we know so far.
Edge version 150.0.4078.48 for Android includes the fix. This update landed in the Google Play Store on July 3, 2026. The version number may vary slightly depending on your device architecture, but any build at or above 150.0.4078.48 contains the patch.
Microsoft has not assigned a CVSS score publicly, but given the “Important” rating and local attack vector, it likely falls in the 7.0–8.0 range. The company typically withholds such details for 30 days or until most users have updated.
What It Means for You
For Everyday Users
If you use Microsoft Edge on an Android phone or tablet, your saved passwords, autofill data, browsing history, cookies, and possibly cached files could be at risk. A rogue app with minimal permissions might read this data without your knowledge, harvesting credentials or personal information that could lead to identity theft or account takeovers.
Because the vulnerability requires local access, the most common real-world scenario is a malicious app slipping through Google Play’s vetting. Even an app that seems harmless—like a flashlight or photo editor—could silently exploit this flaw if it has been granted basic storage permissions. Android’s sandboxing is supposed to prevent apps from accessing each other’s private directories, but this Edge bug likely broke those boundaries.
Physically stolen devices are another concern. If someone gains access to your unlocked phone, they could extract sensitive browser data without needing your Android password, making it a lower bar for data theft.
For IT Administrators and Enterprise Environments
Enterprises that manage mobile devices through Intune or other MDM solutions should push the Edge update immediately. Users who have not updated their browsers become a compliance risk, especially if they access corporate resources like SharePoint, Office 365, or internal web apps through Edge.
Many organizations enforce conditional access policies that block outdated browsers. This patch should be flagged as a required update in your MDM console. Check the minimum Edge version in your compliance policies and update it to 150.0.4078.48 or higher.
If your workforce uses personally-owned devices in a BYOD scenario, communicate the urgency clearly. Provide step-by-step instructions for checking the Edge version and applying the update from the Play Store. Consider a one-time quarantine of devices running older Edge versions until they’re patched.
For Developers
Web developers testing progressive web apps or browser features on Android should update their test devices. If you have automated testing scripts that rely on specific Edge versions, update your baseline to 150.0.4078.48 to ensure you’re working against a secure build. The nature of the bug might affect how local storage or cookies are accessed, so regressions are unlikely but worth testing.
How We Got Here
Microsoft Edge for Android has been a steady performer since its 2017 launch, often flying under the radar compared to Chrome. But as a Chromium-based browser, it shares much of the same codebase as Google Chrome. In fact, many vulnerabilities fixed in Edge for Android are Chromium bugs that also affect Chrome. However, CVE-2026-58522 appears to be specific to Edge, as no corresponding Chrome CVE was reported on the same day.
This isn’t the first local information disclosure flaw in a mobile browser. In 2024, Samsung Internet patched a similar issue that allowed apps to read browser bookmarks and history (CVE-2024-32902). In early 2025, Firefox for Android fixed two local information leaks in the same year. The pattern shows that browser sandboxing on mobile remains a challenging problem, especially when device manufacturers and app developers push the limits of inter-app communication.
Microsoft’s approach to disclosing this vulnerability is measured. By releasing only a high-level description, they give the technical community a heads-up without arming attackers with precise exploitation methods. The 150.0.4078.48 build string aligns with Edge’s predictable four-part versioning: major version, minor, build, and patch revision. The jump to version 150 suggests this might be a larger release cycle, but the emergency nature of the fix indicates it was slipped into a scheduled update or shipped as a hotfix.
The fact that it’s classified as Important rather than Critical tells us that while the impact could be serious, the attack prerequisites are substantial. An attacker must either socially engineer the victim into installing a companion app or have physical access. That lowers the overall risk compared to a remote code execution bug that requires no user interaction.
What to Do Now
The fix is straightforward: update Microsoft Edge on your Android device to version 150.0.4078.48 or later.
Step-by-Step Update Instructions
- Open Google Play Store on your Android device.
- Tap your profile icon and select “Manage apps & device.”
- Under “Updates available,” look for Microsoft Edge.
- Tap Update next to Edge, or tap “Update all” to install all pending updates.
- After the update completes, you can verify the version by opening Edge, tapping the three-dot menu, and going to Settings > About Microsoft Edge. The version should read 150.0.4078.48 or higher.
If you have automatic updates enabled, the patch may already be installed. But don’t assume—confirm manually. Android’s Play Store sometimes delays automatic updates based on network settings or battery level.
For Users Who Can’t Update Immediately
If you’re in a situation where updating isn’t possible (e.g., managed device awaiting policy change, or limited connectivity), minimize risk by:
- Uninstalling any unfamiliar or untrusted apps from your device.
- Avoiding granting storage permissions to apps that don’t need them.
- Locking your device immediately when not in use.
- Not leaving your phone unlocked in public places.
These measures reduce the chance of local access but are not a substitute for patching.
For IT Administrators
Check MDM policies: Ensure your mobile device compliance rules require the latest Edge version.
Push notifications: Send a custom notification via your management portal or email to all Android users with a direct link to the Play Store listing.
Monitor dashboards: Watch your integration reports to see which devices have been updated; follow up with users who lag behind.
Temporary access blocks: If your environment allows, configure conditional access to block sign-ins from Edge versions older than 150.0.4078.48 until the update is applied.
If you use Microsoft Defender for Endpoint on Android, this CVE should appear in your risk dashboard as a disclosed vulnerability affecting managed devices. Prioritize remediation accordingly.
Outlook
Microsoft has historically been quick to patch mobile browser flaws, and this one is no exception. The next few weeks will bring the usual wave of users updating automatically, but the long tail of unpatched devices could linger for months. We’ll be watching for any in-the-wild exploitation reports. If attackers start targeting this CVE, expect Microsoft to release a more detailed analysis and possibly a detection script for enterprises.
In the broader mobile security landscape, local information disclosure bugs are a persistent thorn. As browsers store more sensitive data—passwords, payment methods, biometric tokens—they become increasingly lucrative targets. This latest Edge patch underscores the importance of not ignoring “Important” rated vulnerabilities; the real-world impact can be severe.
Stay ahead by enabling automatic updates, periodically auditing installed apps on your mobile devices, and keeping an eye on Microsoft’s Security Update Guide for future disclosures. Your browser is the window to your digital life, and a cracked pane lets in more than cold air.