Microsoft has disclosed a new security vulnerability in Microsoft Edge (Chromium-based) that could allow a remote attacker to execute arbitrary code on affected systems.
CVE-2026-57992 is classified as a critical Use-After-Free vulnerability affecting Microsoft Edge’s Chromium engine.
The flaw allows an unauthorized attacker to execute code over a network by tricking a user into visiting a specially crafted webpage.
The attack vector is network-based, requires user interaction, and has a high attack complexity.
The high attack complexity rating means successful exploitation isn’t trivial.
Microsoft has disclosed a new security vulnerability in Microsoft Edge (Chromium-based) that could allow a remote attacker to execute arbitrary code on affected systems.
Tracked as CVE-2026-57992, the flaw stems from a Use-After-Free (UAF) memory corruption issue and carries a CVSS score of 7.5 (High). As of publication, there is no available patch or public proof-of-concept exploit.
CVE-2026-57992 is classified as a critical Use-After-Free vulnerability affecting Microsoft Edge’s Chromium engine. The flaw allows an unauthorized attacker to execute code over a network by tricking a user into visiting a specially crafted webpage.
The attack vector is network-based, requires user interaction, and has a high attack complexity.
The high attack complexity rating means successful exploitation isn’t trivial. An attacker must craft deceptive or invisible form elements on a malicious page and rely on the victim to perform two sequential tap gestures that inadvertently trigger Edge’s autofill functionality, thereby activating the memory corruption chain.
Exploitation occurs when an attacker hosts a specially crafted website that triggers the UAF condition in Edge’s rendering engine.
Since attackers cannot force users to visit malicious content, they typically rely on social engineering, luring victims through phishing emails, instant messages, or malicious email attachments that direct them to the attacker-controlled page.
For exploitation to succeed, the victim must:
Visit the attacker-controlled webpage.
Perform two tap gestures that activate the autofill mechanism, triggering the use-after-free condition.
This interaction requirement lowers the real-world risk somewhat, since the attack cannot be executed passively or without victim engagement.
Affected Versions
Microsoft Edge Version Date Released Based on Chromium Version 150.0.4078.48 07/03/2026 150.0.7871.47
If successfully exploited, CVE-2026-57992 could lead to full system compromise, giving attackers the ability to execute arbitrary code within the context of the browser process. This could serve as an entry point for further lateral movement, data exfiltration, or payload deployment depending on the attacker’s objectives.
Mitigations
Since no official patch is currently available, organizations and users should:
Monitor Microsoft’s Security Response Center (MSRC) for patch releases
Educate users on avoiding suspicious links and attachments
Enable browser security features like Enhanced Security Mode where feasible
Restrict autofill functionality in enterprise environments as a temporary mitigation
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.