Microsoft has rolled out a security fix for Microsoft Edge to address a font-handling flaw that could let attackers quietly steal data from your browser just by luring you to a malicious webpage. The company published advisory CVE-2026-7904 on May 7, 2026, confirming that the latest Edge builds are no longer vulnerable to the out-of-bounds memory read in Chromium’s Fonts component.
This is not a standalone Microsoft patch. Edge inherits its core from the open-source Chromium project, and Google already plugged the hole in Chrome 148.0.7778.96 (Linux) and 148.0.7778.96/.97 (Windows and macOS) days earlier. But by formally documenting the CVE through its Security Update Guide, Microsoft gives Windows administrators, IT teams, and home users a clear signal: update your browser now.
What actually changed inside the browser
The bug, tracked as CVE-2026-7904, is an out-of-bounds read in Chromium’s Fonts subsystem. In plain terms, the browser could be tricked into reading from a memory location it should not be able to access. An attacker who crafts a malicious HTML page—something as simple as a phishing link or a compromised website—could trigger the flaw. If successful, they might glimpse sensitive data that normally stays locked away: session tokens, passwords from autofill, or internal memory layouts that make other attacks easier.
Chromium’s maintainers rated the vulnerability as high severity. CISA’s enrichment later gave it a CVSS 3.1 score of 4.3 (medium), with a vector that includes network attack, low complexity, and only user interaction required. The apparent mismatch isn’t a contradiction. CVSS measures generic risk; browser vendors know that information disclosure bugs are prized by attackers because they can be chained with other exploits to defeat security boundaries.
Edge’s fixed builds carry the Chromium 148.0.7778 label. Microsoft’s advisory says the “latest version of Microsoft Edge (Chromium-based) is no longer vulnerable” without specifying the exact three-digit build suffix, because Edge sometimes ships point releases that differ slightly from Chrome’s numbering. For validation, check your browser’s built-in version information: navigate to edge://settings/help and confirm you are on 148.0.7778.something. If the number is lower, the browser is still exposed.
What this means for you—home users, power users, and IT pros
For home users: The fix likely arrived automatically. Edge updates itself in the background, but the new code doesn’t take effect until you restart the browser. If you’re in the habit of never closing your browser, you might be running an outdated version without realizing it. Save your work, close all Edge windows, and reopen the browser. The “About Microsoft Edge” page will confirm the version.
For power users who juggle multiple browsers: This is bigger than Edge. Any Chromium-based software that hasn’t yet ingested the Chrome 148 patches—Brave, Opera, Vivaldi, Electron apps, even Android WebView—carries the same font bug. The CVE advisory officially covers Google Chrome and Microsoft Edge, but identical code can live inside any application built on Chromium. Check those browsers too. Update them all.
For IT administrators and security teams: Microsoft marking “Customer Action Required” in the advisory isn’t just bureaucratic formality. It tells you that your vulnerability scanners and compliance dashboards need to recognize this as a Microsoft-tracked issue, not just a Google one. In practice, that means:
- Verify that your endpoint management tools report Edge versions accurately. Some older scanners may flag only Chrome, not Edge, against this CVE.
- Validate update deployment across your fleet. Edge’s enterprise updater respects group policies, and it’s common for VDI images, kiosks, or tightly locked-down PCs to lag behind.
- Pay attention to browser restarts. A machine that downloaded the update but still has an Edge process running from the previous day is not protected. Consider restart prompts or overnight maintenance windows.
- If you use offline or air-gapped systems, download the full Edge installer package from Microsoft’s Volume Licensing Service Center or the Microsoft Edge for Business page and push it through your software distribution tool.
How we got here—a timeline of a shared vulnerability
The chain of events is typical for the modern web platform but worth understanding because it repeats every few weeks:
- Chromium developers discovered and fixed an out-of-bounds read in the Fonts component (exact date not public, as the bug tracker entry remains restricted to prevent attackers from studying the flaw before most users patch).
- Google released Chrome 148.0.7778.96 for Linux and 148.0.7778.96/.97 for Windows and macOS with the fix included alongside over a hundred other security improvements. The Chrome stable channel rollout occurred in late April 2026, with staged distribution over days.
- Microsoft ingested the upstream Chromium fix into Edge, tested it, and promoted the corresponding build to its stable channel.
- On May 7, 2026, Microsoft published Security Update Guide entry CVE-2026-7904 to signal to its customers that Edge is remediated, and to give them a record they can attach to compliance reports.
This process happens because Edge—and dozens of other applications—share the same guts. A font parser bug in Chromium isn’t a “Google problem” anymore; it’s a cross-vendor risk. Microsoft’s advisory is essentially a mirror of the Chromium fix, translated into the language and tracking systems that Windows-centric teams rely on.
What you should do right now
If you’re an individual:
1. Check your Edge version by going to edge://settings/help. If it’s 148.0.7778. or higher, you’re done.
2. If it isn’t, trigger an update: Stay on that page; Edge will check for updates automatically. If it’s blocked (e.g., by a corporate policy), download the latest installer from Microsoft directly.
3. Restart Edge completely. Open Task Manager and ensure no msedge.exe processes linger before relaunching.
4. Do the same for Chrome, Brave, Opera, and any Electron-based apps* you use. The bug lives in their code, too, even if Microsoft’s advisory doesn’t name them.
If you’re an IT administrator:
1. Query your fleet for Edge versions. Use SCCM, Intune, or your endpoint management tool to list all installations. Flag anything below 148.0.7778.
2. Adjust update policies if you’ve been holding back Edge upgrades for compatibility testing. The risk from this information-disclosure bug is high enough to warrant pushing the update.
3. Force restarts if your users keep browsers open for weeks. Browser updates are not like operating system patches that can hot-patch in memory; the browser must relaunch to load the fixed rendering engine.
4. Review your vulnerability scanner’s reporting for this CVE. If it shows Chrome vulnerable but Edge not, or vice versa, it may be confused by CPE mismatches. Manually verify with device-level version checks.
5. Set a reminder to check for new Edge builds weekly. The Chromium patch cycle is rapid, and Microsoft typically ships Edge updates within days of major Chrome stable releases.
The bigger picture—browsers are the new frontline
This CVE is not the most critical browser flaw announced this year. But it exemplifies why keeping browsers current is now as vital as operating system patching. Font parsers, image decoders, video codecs, CSS layout engines—these subsystems warp, stretch, and render data from the wild internet billions of times a day. Each one is a door an attacker could push open.
Memory-read bugs like CVE-2026-7904 are particularly valuable to sophisticated attackers not because they grant immediate control, but because they erode the secrecy that modern browsers depend on. Learning a few bytes of memory can reveal the randomization patterns that make remote code execution harder, or expose tokens that let an attacker impersonate a user without ever planting malware.
The good news: The fix is already available, and for most Edge users, it has been silently delivered. The work now is to make sure that “available” and “installed and actively running” are the same thing on every device.
Microsoft’s next Edge stable release will likely carry further Chromium security fixes. Watch the Microsoft Security Response Center update guide and the Edge release notes for the latest build numbers. Because when the next font bug, image parser flaw, or JavaScript engine oversight arrives—and it will—the muscle of fast, verifiable browser updates will be your most reliable defense.