Microsoft shipped an emergency update for Edge Stable on July 2 that patches a remote code execution vulnerability—tracked as CVE-2026-57992—that attackers could exploit simply by luring a victim to a malicious website. The fix arrives after a weeks-long gap during which the underlying flaw was publicly known in Chromium but not yet addressed in Edge, leaving millions of Windows users at risk.

The Fix: What Edge 150.0.4078.48 Actually Changes

The July 2 update, version 150.0.4078.48, addresses a vulnerability that Microsoft rated as “Critical” in its Security Update Guide. According to the advisory, the flaw is a remote code execution (RCE) bug that stems from the Chromium engine that powers Edge. Microsoft’s own description is sparse, but the company confirmed that successful exploitation could allow an attacker to run arbitrary code on a victim’s machine with the same privileges as the logged-in user.

Because Edge runs in a sandbox on Windows, any code execution would initially be contained, but a motivated attacker could chain this bug with a sandbox escape or other privilege escalation exploit to seize full control of the system. Even without a sandbox escape, an attacker who compromises the browser could steal cookies, session tokens, passwords, and other sensitive data stored in the browser.

The update reached the Stable channel on July 2, but Microsoft had already shipped a fix to Insiders running Dev and Canary builds a few days earlier. For most users, the update will install automatically. You can check your version by typing edge://settings/help in the address bar—if the number displayed is 150.0.4078.48 or higher, you’re protected.

Microsoft did not disclose whether the vulnerability was actively exploited in the wild before the patch, but given the Critical rating and the fact that the patch gap left a window of opportunity, security professionals are urging users to update immediately.

Patch Gap, Explained: Why the Delay Matters

The concept of a “patch gap” isn’t new to Chromium-based browsers. When a security bug is found and fixed in the open-source Chromium project, that fix lands in Google Chrome first, then trickles down to other browsers that use the engine—like Edge, Brave, Opera, and Vivaldi. The delay between upstream fix and downstream release can stretch from a few hours to several weeks, depending on each browser vendor’s release cadence.

In the case of CVE-2026-57992, the gap was particularly troubling because it involved a critical RCE. According to the Chromium bug tracker, the original report and fix were submitted in mid-June, with a public commit landing soon after. That means any attacker who monitored the Chromium source code could have reverse-engineered the flaw and developed an exploit before Microsoft shipped its update. During those weeks, Edge users were effectively sitting ducks—awareness of the bug was public, but the patch wasn’t yet available.

Security researchers have long criticized this patching model. While open-source transparency is good for collective defense, it also lowers the bar for attackers. The patch gap essentially creates a race: can the good guys ship a fix before the bad guys weaponize the disclosure? In this instance, it took Microsoft roughly two and a half weeks from the upstream fix to the Edge Stable release. That’s not unusual, but for a critical RCE, every day counts.

How Attackers Could Exploit CVE-2026-57992

Microsoft’s advisory classifies the vulnerability as “Exploitation More Likely,” the highest rating on its Exploitability Index. That means the company believes an attacker can consistently craft working exploits. The nature of the bug—remote code execution—means no user interaction beyond visiting a website is required. Phishing emails, malicious ads, or compromised sites could all serve as attack vectors.

Although the technical details are not publicly disclosed (as of July 2), typical Chromium RCEs involve memory corruption bugs—use-after-free, heap buffer overflow, or type confusion. Once triggered, the attacker gains the ability to execute code in the context of the browser process. From there, they can drop malware, exfiltrate data, or pivot to other parts of the network.

Because Edge shares many Chromium underpinnings with Chrome, the flaw likely affects other Chromium browsers too. But Chrome, Brave, and others patched the issue much earlier. The danger was amplified for Edge because it comes preinstalled on every Windows machine and is often used in enterprise environments where centralized update management can introduce further delays.

Am I Affected? The Scope of the Threat

If you run Microsoft Edge on any supported Windows version—Windows 10, Windows 11, or even older Windows Server editions with the Edge browser installed—you were vulnerable until you applied the July 2 update. This includes both consumer and enterprise installations. The flaw does not affect Edge on macOS, Linux, or mobile platforms because it is specific to the Windows implementation, according to Microsoft.

Home users who have automatic updates enabled (the default setting) are likely already protected, as Edge checks for updates every few hours and installs them silently. However, users who have paused updates or are on metered connections might still be unpatched. IT administrators managing Edge via Group Policy or Configuration Manager will need to deploy the update through their usual channels.

One critical note: if your organization uses Edge in kiosk mode or embedded within applications (like the WebView2 control), those components may also be vulnerable. Microsoft’s advisory explicitly mentions that the update covers all Edge components, so a cumulative browser update should address them.

How to Check and Update Edge Immediately

The safest and fastest way to update is through the browser itself. Click the three-dot menu in the top right, go to “Help and feedback,” then “About Microsoft Edge.” Alternatively, type edge://settings/help in the address bar and press Enter. Edge will automatically check for updates and begin downloading if one is available. Once installed, you’ll see a prompt to restart the browser.

For enterprises, the easiest method is to allow automatic updates via Microsoft Update. If you need to deploy manually, you can download the latest MSI installer from the Microsoft Edge for Business download page, or use Windows Server Update Services (WSUS) or Microsoft Configuration Manager. The update carries the KB number KB5041152, though Microsoft typically bundles Edge updates with the browser’s own update mechanism rather than a standalone patch.

If for some reason you cannot update right away, consider using an alternative browser that has already been patched—such as Google Chrome or Mozilla Firefox—until you can apply the Edge fix. While Microsoft advises against this for compatibility reasons, it’s a safer short-term workaround than remaining exposed. Additionally, you can reduce risk by avoiding clicking unknown links, disabling JavaScript on untrusted sites (via extensions or site permissions), and keeping your operating system and antivirus up to date.

The Bigger Picture: Chromium’s Patching Pipeline

This incident reignites the debate over how Chromium-based browsers handle upstream vulnerabilities. Google’s fast-paced release cycle means Chrome often gets a patch within 24–48 hours of a critical bug fix landing in the main branch. Edge, which historically shipped every four weeks and then shifted to a more rapid cadence, still lags behind. Microsoft justifies the delay by citing additional testing and integration work required for Windows-specific features and enterprise policies.

However, attackers don’t wait. In the past, we’ve seen similar patch gaps lead to real-world attacks. The notorious Log4j vulnerability, while not browser-specific, illustrated how a public disclosure without a universal patch can cause chaos. For Chromium-based browsers, the phenomenon is so common that security firms now track “patch gap weeks” as a metric for vendor responsiveness.

To its credit, Microsoft has narrowed the gap in recent years. Since transitioning to a four-week release cycle aligned with Chromium, Edge updates come faster than they did with the legacy EdgeHTML engine. And for zero-day emergencies, the company can push unscheduled releases, as it did with this fix. But the question remains: why can’t the gap be smaller for critical bugs? One answer lies in the complexity of testing across Windows’ diverse hardware and software ecosystem. Another might be the prioritization of other security work.

What’s Next: Watching for Exploits

With the patch now available, the immediate danger is past for those who update. But two risks linger. First, some users will delay updating—whether out of neglect, broken automatic updates, or enterprise approval chains—and those users become easy targets if an exploit becomes public. Second, the public disclosure and proof-of-concept code could emerge at any time, making reverse-engineering trivial for attackers. Security researchers often publish write-ups after a patch is out, detailing how the bug works, which helps the community but also assists attackers.

Microsoft advises users to enable automatic updates and to monitor the Security Update Guide for any future revisions to the advisory. Post-release, the CVE details might be enriched with CVSS scores and additional technical specifics. As of now, the CVE entry is likely in a reserved state with limited information, but it will be updated soon.

The July 2 update also includes other non-security fixes and performance improvements, but the RCE patch is the star of the show. For the average Windows user, the takeaway is simple: if you see that update notification, don’t dismiss it. Click restart and let Edge do its job.

Edge has come a long way since its controversial launch, but incidents like this remind us that no browser is immune to critical flaws. The patch gap is a structural weakness that all Chromium-based browsers share; until the industry finds a way to deliver fixes in lockstep, users must stay vigilant.