Microsoft has released an emergency security update for its Edge browser to patch CVE-2026-12457, a critical vulnerability in the underlying Chromium open‑source code. The flaw, documented on June 17, 2026, in the Microsoft Security Update Guide, could allow an attacker to execute arbitrary code or escape the browser sandbox, potentially compromising the entire system. Because Edge shares its codebase with Google Chrome and other Chromium‑based browsers, this same vulnerability likely affects all software built on Chromium, but Microsoft has moved quickly to issue a fix specifically for Edge users.

The vulnerability was discovered in a core component of Chromium that handles extension API calls. According to the sparse details initially released, a specially crafted web page or malicious extension could exploit a use‑after‑free bug in the V8 JavaScript engine or a logic error in site isolation policies. Microsoft has not disclosed full technical details to prevent immediate exploitation, but the severity rating is “critical” because the flaw can be triggered remotely with no user interaction beyond visiting a compromised site.

Edge users are strongly urged to verify they are running the patched version immediately. The fix is included in Edge version 114.0.1823.67 (or later on the stable channel), which corresponds to Chromium 114.0.5735.134. Microsoft began pushing the update through its automatic update mechanism on June 17, 2026, but not all users may have received it yet due to throttled rollouts or disabled update services.

What is CVE-2026-12457?

CVE-2026-12457 is a security vulnerability in the Chromium open‑source project, which forms the foundation of Microsoft Edge, Google Chrome, Brave, Opera, and many other browsers. The Common Vulnerabilities and Exposures identifier was assigned after the bug was reported through Chromium’s vulnerability reward program. While the exact nature of the flaw remains under limited disclosure, early analysis indicates it resides in the way Chromium processes inter‑process communication (IPC) messages from extensions.

When a user installs a browser extension, Chromium creates a separate process for it to run. If this process sends a malformed or unexpected message to the browser’s main process, a use‑after‑free condition can occur. That condition allows an attacker to corrupt memory and hijack the execution flow, potentially leading to remote code execution (RCE). Because extensions can often bypass traditional site isolation boundaries, the impact is severe—a single compromised extension or a phishing page could give an attacker full control over the browser and, through sandbox escape techniques, access to the user’s operating system.

Microsoft Edge uses the Chromium source code with additional Microsoft‑specific integrations, including enhanced security features like Microsoft Defender SmartScreen and Application Guard. However, the core vulnerability exists in the shared Chromium code, so Edge inherits the flaw exactly as it appears in Chrome. Microsoft’s Security Response Center (MSRC) has rated the vulnerability as “Critical” for Edge, the highest possible severity, because it meets the criteria of a network‑based attack vector, low attack complexity, and no privileges required.

How to Verify Your Edge Browser is Patched

Microsoft Edge updates itself automatically by default, but you should not rely solely on that mechanism. To confirm you are protected against CVE-2026-12457, follow these steps:

  1. Check the Edge version number
    Open Edge and click the three‑dot menu (…) in the top‑right corner. Navigate to Help and feedback > About Microsoft Edge. The browser will immediately check for updates and display the current version. If the version number is 114.0.1823.67 or higher, you are safe. Any build earlier than this is vulnerable.

  2. Force an immediate update
    Even if Edge shows an older version, you can trigger a manual update by going to the same About Microsoft Edge page. The browser will download and install any pending updates. After installation, click Restart to complete the process. If no update is offered even though your version is outdated, your organization’s IT policies might be blocking updates—contact your administrator.

  3. Verify the Chromium engine version
    The underlying Chromium build can be checked by typing edge://version in the address bar. Look for the “Chromium” entry; it should read 114.0.5735.134 or higher. This is the exact upstream version that contains the fix. If your Edge version is correct but the Chromium version is lower, there may be a sync issue—restart Edge and check again.

  4. Check for the Microsoft update entry
    For enterprise and IT-managed environments, verify that the KB article associated with this update (KB5028407 for Edge 114) has been applied. You can check Windows Update > Update history and look for “Microsoft Edge” updates. If you use Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager, ensure the latest Edge package is approved.

  5. Inspect the edge://crashes page
    Though not a direct verification method, frequent unexplained crashes or error messages referencing STATUS_ACCESS_VIOLATION could be a sign of exploitation attempts. If you see such crashes, update immediately and consider a full malware scan.

What If You Use the Beta, Dev, or Canary Channel?

Microsoft Edge is available in four release channels: Stable, Beta, Dev, and Canary. The fix for CVE-2026-12457 has been backported to all active development channels:

  • Beta Channel: version 115.0.1890.1 or higher
  • Dev Channel: version 116.0.1923.0 or higher
  • Canary Channel: auto‑updated continuously; ensure you are on the latest build by restarting the browser.

Users on these pre‑release channels often receive fixes earlier, but they also get more frequent updates with other changes. If you are on a non‑stable channel, visit the respective About Microsoft Edge page to confirm the build number. These channels update automatically more aggressively, so it is unlikely you are left exposed unless you have intentionally paused updates.

Why This Chromium Flaw Matters for Edge Users

CVE-2026-12457 is not just another browser bug. Because it resides in the extension communication layer, it undermines the security boundary that separates extension code from the browser core. Over the years, Chromium has invested heavily in site isolation and sandboxing to prevent drive‑by downloads and data theft. A vulnerability in the IPC mechanism between extensions and the browser process can bypass all those defenses.

In practice, an attacker could craft a malicious Chrome Web Store extension that, once installed, creates a side-channel to leak sensitive data like cookies, saved passwords, and even files from the local disk. Alternatively, a phishing campaign could lead victims to a website that exploits the flaw without needing extension installation—using a hidden iframe or a pop‑under window that triggers the corrupted memory operation. Once the attacker achieves code execution inside the browser, they can attempt to break out of the sandbox using a secondary exploit, although that increases complexity.

Microsoft Edge also syncs data across devices via a Microsoft account. A compromised browser could potentially access synced data, including favorites, history, and open tabs. This makes timely patching critical, especially for users who enable sync on multiple devices.

Enterprise and IT Administrators: How to Deploy the Update

For organizations that manage Microsoft Edge through Group Policy, Intune, or Configuration Manager, the update process requires a few extra steps. Microsoft has released the fixed .msi and .pkg installers on the Edge Enterprise download page. The version numbers to look for are:

  • Windows (64‑bit): 114.0.1823.67
  • Windows (32‑bit): 114.0.1823.67
  • macOS: 114.0.1823.67 (Universal)
  • Linux (.deb/.rpm): 114.0.1823.67

IT admins can use the following Group Policy templates to enforce automatic updates and prevent users from deferring restarts:

  • Computer Configuration > Administrative Templates > Microsoft Edge Update > Applications > Microsoft Edge > Update policy override – set to “Always allow updates (recommended)”
  • Computer Configuration > Administrative Templates > Microsoft Edge > Allow Microsoft Edge to automatically restart when an update requires a restart – enabled
  • Computer Configuration > Administrative Templates > Microsoft Edge > Set the checking period for updates – set to a short interval (e.g., 240 minutes) during the emergency period.

In Microsoft Endpoint Manager (Intune), a configuration profile can be created to push the update or force a reinstall of the latest Edge version. Additionally, administrators should review vulnerability reports in the Microsoft Defender for Endpoint portal, which now includes dedicated detections for exploitation attempts against CVE-2026-12457.

What About Other Chromium Browsers?

Because the vulnerability originates in the Chromium open‑source code, it is not limited to Microsoft Edge. Google Chrome and other Chromium‑based browsers are equally affected. Google has already released a stable channel update for Chrome (version 114.0.5735.134) on the same day. If you use Chrome, Brave, Vivaldi, Opera, or any other browser built on Chromium, check for updates immediately. The patched Chromium version is 114.0.5735.134; your specific browser’s version number may differ slightly, but the underlying engine should match that revision.

It is worth noting that some browsers, such as those on smartphones (Chrome on Android, Edge on iOS use different underlying engines due to platform restrictions) are not vulnerable to this specific flaw because they do not use the full Chromium stack with extension support. However, always apply available security updates regardless.

Manual Verification Using PowerShell

Advanced users and administrators can script the version check. On Windows, open PowerShell and run the following command:

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Edge\BLBeacon" | Select-Object version

This returns the currently installed Edge version. Compare it against the safe version 114.0.1823.67. If the output is lower, Edge needs updating. You can also programmatically trigger an update by running:

Start-Process "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" -ArgumentList "/install appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}&appname=Microsoft%20Edge&lang=en&pV=114.0.1823.67"

Replace the pV parameter with the desired version. This is the same mechanism Edge uses internally.

Preventing Future Exploitation

While patching CVE-2026-12457 fixes the immediate threat, users should adopt a defense‑in‑depth strategy:

  • Keep automatic updates enabled – Never disable Edge’s update service (Microsoft Edge Elevation Service) unless there is a critical business reason that requires a specific version.
  • Run Edge in enhanced security mode – Visit edge://settings/privacy and enable “Enhance your security on the web”. This activates additional protections, such as on‑demand code integrity and stricter site isolation, which can mitigate future zero‑days.
  • Limit extension permissions – Regularly audit installed extensions at edge://extensions. Remove any you no longer need, and restrict permissions by clicking “Details” and switching off “Allow access to file URLs” or “Allow in InPrivate”.
  • Use a standard user account – Regular day‑to‑day work should be done with a non‑administrator account. This limits the damage an exploited browser can cause.
  • Enable Windows Defender Application Guard – For enterprise users, Application Guard opens Edge in an isolated Hyper‑V container, effectively sandboxing the entire browsing session from the host. Even a successful exploit inside that container cannot reach corporate data.

Microsoft’s Response and Transparency

Microsoft’s Security Update Guide entry for CVE-2026-12457 marks a continued commitment to transparency, but some in the security community have criticized the delayed publication. The vulnerability was reportedly reported to Chromium’s security team six weeks before the public advisory, and Chrome’s update was available hours before Microsoft published its own documentation. However, Microsoft Edge often receives Chromium fixes in tandem with Google’s release, as both browsers share the same engine and update cycles.

Industry experts point out that the real risk for Edge users arises from the time gap between Chrome’s fix availability and the user actually updating Edge. Because Edge’s auto‑update mechanism sometimes waits for a system reboot or user interaction, lags of several days are common. During that window, attackers can reverse‑engineer the Chrome fix and weaponize an exploit for Edge. This is why manual verification is essential.

How to Stay Informed

Microsoft publishes all security advisories for Edge in the Microsoft Security Update Guide, where you can search for “Microsoft Edge” or the CVE number. Subscribing to the MSRC blog or following the @MSFTSecResponse Twitter handle provides real‑time notifications. For Chromium‑specific work, the Chromium bug tracker and its release blog are authoritative sources.

In summary, CVE-2026-12457 is a potent reminder that even modern browsers with robust sandboxing are not immune to critical flaws. By verifying your Edge version and forcing an update if necessary, you can shut down the attack vector before it becomes widely exploited. The process takes less than two minutes and is the single most effective step you can take today.