On July 3, 2026, Microsoft published a security advisory for a freshly patched information disclosure vulnerability in the Chromium-based Microsoft Edge browser. Tracked as CVE-2026-58291, the medium-severity flaw affects Edge versions earlier than 150.0.4078.48 across Windows, macOS, and Linux. The company urges all users to update immediately — though, as is standard with coordinated disclosure, it has not released the specific attack vector or technical details of the bug.
The update lands with Edge 150
Edge 150.0.4078.48 shipped to the Stable channel on July 3, 2026, rolling out the fix alongside the usual blend of Chromium security backports and browser improvements. The version number jump to 150 — up from Edge 149 — suggests a sizeable update, but Microsoft has not flagged this particular release as a “major” milestone in its changelog. Instead, it appears to be a routine security and maintenance release, with CVE-2026-58291 being the only publicly acknowledged vulnerability remediated.
According to Microsoft’s advisory, the flaw is an “information disclosure” issue at medium severity. In practice, this means an attacker who successfully exploits the bug could leak sensitive data — potentially including cookies, authentication tokens, or even on-page secrets — under restricted conditions. The company has declined to share the precise technical mechanism, such as whether it requires a user to visit a malicious website or if it can be triggered through other means, citing its responsible disclosure policy.
Affected versions and platforms:
| Platform | Affected Edge versions | Patched version |
|---|---|---|
| Windows 10, Windows 11 (x86, x64, arm64) | < 150.0.4078.48 | 150.0.4078.48 |
| macOS (Intel, Apple Silicon) | < 150.0.4078.48 | 150.0.4078.48 |
| Linux (Ubuntu, Debian, Fedora, OpenSUSE) | < 150.0.4078.48 | 150.0.4078.48 |
Notably, Edge on iOS and Android follow different codebases and are not included in this advisory. Windows Server editions that include Edge are also affected.
What CVE-2026-58291 means for your daily browsing
A medium-severity information disclosure bug rarely makes headlines, but it does carry real-world risk — particularly for anyone who handles sensitive accounts or data inside the browser. While Microsoft has not observed active exploitation of CVE-2026-58291 at the time of the advisory, the nature of such flaws means attackers often reverse-engineer the patch to develop exploits within days of the fix becoming public.
For the typical home user, the practical threat is moderate: an attacker would need to lure you to a compromised or malicious website, and the leaked information would be limited to what the browser process could access. Still, even a partial data leak can act as a stepping stone. If your browser inadvertently reveals session cookies, for instance, a remote attacker could hijack your accounts on banking, email, or work platforms.
Enterprise admins face a more pressing concern: if a single inside-the-network user runs an outdated Edge version, an attacker who already has a foothold on the corporate LAN could potentially exploit the bug to read data from the victim’s browser silently. This is why “medium” rated flaws are often taken seriously in defense-in-depth strategies.
Developers and power users who run Edge in kiosk mode, or within virtual desktop environments, should pay attention as well. Information disclosure in a locked-down browser session can undermine the entire isolation model.
How we got here: the Chromium connection
Microsoft Edge has been built on the open-source Chromium engine since 2020. This means the lion’s share of browser vulnerabilities discovered in Edge actually originate upstream in Google’s Chromium project and are eventually ported downstream by Microsoft. CVE-2026-58291 is no exception: the advisory notes the vulnerability was discovered by an external researcher through the Chromium Vulnerability Rewards Program, though Microsoft has chosen to assign its own CVE identifier rather than relying solely on the Chromium CVE number.
This practice is common when the flaw is verifiably present in Edge’s shipping code and Microsoft handles the disclosure coordination. Chromium typically releases security patches roughly every two weeks, and Edge absorbs those patches into the Stable channel on a similar cadence. Edge 150.0.4078.48 likely incorporates several Chromium security fixes beyond CVE-2026-58291, but Microsoft’s advisory highlights only this one.
The timeline is short: the bug was reported privately to the Chromium team, a patch was developed, and within the standard 90-day window (or faster), the fix was shipped. This fast turnaround reflects the browser industry’s maturing vulnerability response. For users, the takeaway is simple: keeping your browser up-to-date is the single most effective defense against opportunistic web-based attacks.
What to do right now
Check your Edge version. Open Edge, type edge://settings/help into the address bar, and press Enter. The browser will display the installed version and, if an update is available, begin downloading it automatically. You should see at least 150.0.4078.48 listed. If your version is lower, let the update complete and restart the browser.
If auto-update is disabled — common on managed devices — you’ll need to trigger the check manually or deploy the update through your organization’s software management system. Windows users can also run Windows Update: Microsoft frequently bundles Edge updates with the monthly security patches, but Edge updates independently as well.
Enterprise admins should download the MSI installer from the Edge Business download page and push it via SCCM, Intune, or WSUS. Test the update on a limited deployment ring first to avoid unintended side effects, though minor version bumps like this rarely cause compatibility issues.
For Linux users, the update is available through the package manager (apt, dnf, etc.) or by downloading the .deb or .rpm from Microsoft’s repository.
Beyond patching, a few best practices reduce the impact of information disclosure vulnerabilities:
- Enable site isolation in Edge (it’s on by default) to make it harder for a compromised renderer to read data from other origins.
- Use multifactor authentication everywhere possible so that even leaked session tokens become useless.
- Keep browsing profiles clean: regularly logout of unused services and clear saved cookies if you’re not actively using them.
What to watch next
Microsoft has not indicated whether CVE-2026-58291 will receive an “exploitation detected” update. However, given the medium rating, it is unlikely the company will issue an out-of-band warning unless active attacks surface. The next Edge Stable channel update will likely follow Chromium’s biweekly schedule, possibly bringing more security fixes. Users should continue to install updates as they become available.
In the broader picture, this CVE underscores the importance of browser hygiene. Modern browsers are complex pieces of software; even a minor version number bump can silently close a gap that an attacker might have already been probing. Staying on auto-update remains the simplest and most effective safety net.