Microsoft has released an update for its Edge browser on Android to fix a high-severity information disclosure vulnerability that could expose sensitive personal data to attackers. The flaw, assigned CVE-2026-58297, was disclosed on July 3, 2026, and affects all Edge for Android versions prior to 150.0.407. Users should install the patch immediately.

Inside the Vulnerability

Information disclosure vulnerabilities allow unauthorized access to data that should be protected. In the case of CVE-2026-58297, Microsoft hasn’t detailed the exact mechanism that could have been exploited, following its standard practice of limiting technical information to prevent attack replication before patches are widely deployed. However, based on the advisory, the flaw resides in the Chromium-based Edge browser on Android.

Such vulnerabilities typically arise from improper handling of web content or inter‑app communication, such as a malicious website reading sensitive data from another tab or a rogue application intercepting data intended for Edge. In a mobile context, an attacker could potentially access browsing history, cookies, autofill information, authentication tokens, or even data from other websites stored locally. Microsoft rates the severity as high—often reserved for flaws that can lead to significant data exposure without user interaction.

Who Is at Risk

If you use Microsoft Edge on an Android phone or tablet, and your browser version is below 150.0.407, your device is vulnerable. The fix is included in version 150.0.407, which began rolling out through the Google Play Store on July 3. The vulnerability does not affect Edge on Windows, macOS, iOS, or Linux—it is specific to the Android version.

The rollout is gradual; some users may see the update immediately, while others might need to wait a day or two. Enterprise environments where IT administrators manage app updates might also need to explicitly push the new version.

How the Patch Reached Users

Microsoft disclosed the vulnerability as part of its regular security update process, though the mid-cycle timing—falling on a Friday—suggests it may have been an out-of-band release. That move typically signals an elevated urgency, as the company normally bundles browser patches with its monthly Patch Tuesday cycle. Microsoft has not confirmed whether the vulnerability was actively exploited, but the quick fix and high severity rating underscore the potential risk.

Edge for Android updates are distributed exclusively through the Google Play Store, leveraging the store’s managed rollout mechanism. Unlike the desktop Edge browser, which can update itself silently, the mobile version depends on the user accepting the update or having automatic updates enabled. This can sometimes delay the protection for less attentive users.

What You Need to Do

1. Check your current Edge version
Open Edge, tap the three-dot menu, and go to Settings > About Microsoft Edge. The version number appears at the top. If it is lower than 150.0.407, you are running a vulnerable build.

2. Update the browser
- Open the Google Play Store, search for Microsoft Edge, and tap Update.
- If no update is visible, the rollout may not have reached your device yet. Wait a few hours, or try Settings > Apps & notifications > See all apps > Google Play Store > Storage & cache > Clear cache, then restart the Play Store and check again.
- For a manual download, you can also visit the Edge listing directly and see if the Install button changes to Update.

3. Verify the fix
After updating, revisit the About Microsoft Edge screen. The version should now be 150.0.407 or a later number.

4. For enterprise admins
If you manage Android devices via Microsoft Intune, VMware Workspace ONE, or another MDM solution, push the latest Edge APK or adjust your app update policies to require the fixed version. You can also notify your users via your internal communication channels.

5. Additional precautions
As a best practice, consider clearing your browsing data (cookies, site data, cached images and files) from Edge’s Privacy and security settings. This minimizes any stale data that might have been at risk. Also, ensure Google Play Protect is enabled on your device to scan for malicious applications.

The Bigger Picture: Edge on Android Security

Microsoft Edge on Android has grown into a popular alternative to Google Chrome, especially for users deeply integrated with the Microsoft ecosystem—syncing passwords, favorites, and Collections across desktop and mobile. Under the hood, the browser relies on the open‑source Chromium engine, sharing a vast codebase with Chrome but adding Microsoft-specific services and privacy controls.

While the shared engine brings rapid feature adoption, it also means that security issues in Chromium can cascade to Edge, and vice versa. Microsoft maintains a dedicated security team that regularly audits and patches the browser. In the past year, Edge for Android has seen an accelerated release cadence, sometimes receiving security fixes ahead of the desktop version because of mobile‑specific threat vectors.

Information disclosure vulnerabilities have been a recurring theme across mobile browsers. Earlier incidents include flaws in how browsers handle URL schemes, intent messages, or JavaScript interactions—allowing malicious apps or websites to siphon data. CVE-2026-58297 appears to fall into this category. The high severity rating, without being critical, indicates that exploitation could result in significant data loss but might require some level of user interaction or specific conditions.

What to Watch Next

Microsoft will likely expand on the technical details in the coming days through its Security Response Center (MSRC), once the majority of users have applied the patch. Independent security researchers may also reverse‑engineer the fix to better understand the attack surface.

For now, the immediate priority is updating. Beyond this incident, users should adopt a habit of keeping all apps—especially browsers—current. Enabling automatic updates in the Google Play Store is a simple, effective defense. Mobile browsers remain prime targets for attackers aiming to harvest credentials and personal data; a few seconds spent on an update can thwart a potential breach.

With the patch already rolling out, the window of vulnerability is closing. Check your version and take action now.