Microsoft Edge vulnerability allowed remote code execution through feedback log files

Microsoft Edge users should make sure their browser is updated after Microsoft fixed a remote code execution vulnerability tied to how Edge handles feedback log files. The issue can let an attacker run code on a targeted system if the user visits a malicious page or opens a crafted file.

The flaw is tracked as CVE-2026-45495. Microsoft included the fix in Edge Stable version 148.0.3967.70, which also addressed two other Edge-specific vulnerabilities in the same update.

The Zero Day Initiative advisory describes the issue as a directory traversal vulnerability in Microsoft Edge’s feedback log file handling. The flaw comes from improper validation of a user-supplied path before Edge uses it in file operations.

What CVE-2026-45495 does

CVE-2026-45495 can allow remote attackers to execute arbitrary code on affected Microsoft Edge installations. The attack is not automatic on its own because it requires user interaction.

That interaction could involve visiting a malicious web page or opening a malicious file. Once triggered, the flaw can be used with other vulnerabilities to execute code in the context of the current user.

This means the impact depends heavily on the user’s privileges. If the targeted user has broad local access, the attacker may gain more useful access to files, browser data, local applications, and persistence locations.

Vulnerability	Type	Impact	User interaction
CVE-2026-45495	Feedback log file handling flaw	Remote code execution	Required
CVE-2026-45494	Microsoft Edge spoofing flaw	Could support deceptive browser behavior	Required
CVE-2026-45492	Improper input validation	Security feature bypass	Depends on attack path

Microsoft fixed the issue in Edge 148.0.3967.70

Microsoft’s Edge security release notes show that Edge Stable version 148.0.3967.70 was released on May 15, 2026. The update includes CVE-2026-45495, CVE-2026-45494, and CVE-2026-45492.

The same release notes show that Microsoft also issued related Edge for iOS and Android updates in the following days. Mobile fixes matter because Edge users may sync accounts, browsing data, and work profiles across devices.

Enterprise administrators should confirm that managed Windows endpoints run Edge 148.0.3967.70 or later. Devices that lag behind the stable release remain exposed to the vulnerabilities covered in that update.

Why attackers need user interaction

ZDI says exploitation requires the target to visit a malicious page or open a malicious file. That makes phishing, poisoned downloads, malicious attachments, and deceptive support pages realistic delivery methods.

The weakness sits in feedback log file handling. According to the ZDI report, Edge failed to properly validate a user-supplied path before using it in file operations.

That type of bug can matter because file path manipulation may let attackers influence where data gets read, written, or processed. In a browser context, attackers often try to combine this type of weakness with other bugs to achieve code execution.

Security scanners flag older Edge versions

Vulnerability scanners have also started flagging unpatched Edge installations. Tenable’s Nessus plugin says Microsoft Edge versions earlier than 148.0.3967.70 are affected by multiple vulnerabilities referenced in the May 15 advisory.

The scanner entry lists CVE-2026-45495 as a remote code execution issue and also references CVE-2026-45492 and CVE-2026-45494. It recommends upgrading Edge to version 148.0.3967.70 or later.

Admins should treat browser version inventory as a priority. Browsers process untrusted web content every day, and users often interact with email links, shared files, collaboration tools, and downloaded documents from many sources.

How serious is CVE-2026-45495?

CVE-2026-45495 should be treated as an important update because it can lead to code execution. However, public advisory details do not describe confirmed exploitation in the wild.

ZDI assigned the flaw a CVSS score of 7.5. Mondoo’s vulnerability entry lists CVE-2026-45495 as high severity and shows a CVSS 3.1 score of 8.8 with user interaction required.

The difference in scoring reflects how different platforms model exploit conditions. The practical takeaway remains the same: update Edge, reduce user privileges, and watch for suspicious file activity tied to browser processes.

• Update Microsoft Edge to version 148.0.3967.70 or later.
• Restart the browser after the update finishes.
• Block untrusted attachments and suspicious download links.
• Use least-privilege accounts for daily work.
• Monitor suspicious file operations launched by browser processes.
• Review endpoint alerts involving unexpected child processes from Edge.

How users can update Microsoft Edge

Most Edge installations update automatically, but users can check manually. Open Edge, select the three-dot menu, go to Help and feedback, then choose About Microsoft Edge.

Edge will check for updates and install the latest available version. Users should restart the browser when prompted so the patched version loads properly.

Administrators using managed deployments should check update rings, policies, and endpoint management dashboards. Some enterprise devices may not update immediately if browser updates are deferred or controlled through policy.

What administrators should monitor

Because this flaw involves file handling, security teams should watch for unusual file operations linked to msedge.exe or child processes launched from the browser. Alerts involving unexpected writes, path traversal patterns, or suspicious archive extraction deserve review.

Teams should also look for post-exploitation behavior, such as new startup entries, unusual scheduled tasks, suspicious PowerShell activity, or unauthorized access to browser profile data.

Microsoft’s release notes remain the best way to confirm the fixed Edge version, while Tenable’s detection can help security teams identify machines that still report an older installed version.

Two related Edge flaws were fixed too

The May 15 Edge update also fixed CVE-2026-45494 and CVE-2026-45492. CVE-2026-45494 is listed as a spoofing vulnerability, while CVE-2026-45492 is described as an improper input validation issue that can allow a security feature bypass.

These related flaws matter because browser attacks often involve chains. A lower-severity bug can help make a more serious vulnerability easier to exploit, depending on the browser state and the attacker’s delivery method.

Mondoo’s CVE data shows that CVE-2026-45495 requires user interaction but does not require privileges. That combination makes social engineering a key risk, especially in environments where users regularly open external links or files.

What this means for Edge users

The most important action is simple. Users and administrators should confirm that Edge has updated to 148.0.3967.70 or later.

Organizations should also treat browser patching as part of endpoint security, not as a background task. A delayed browser update can leave users exposed even when Windows itself appears fully patched.

For enterprises, the safest approach combines fast Edge updates, attachment filtering, least-privilege accounts, and endpoint monitoring. That reduces the chance that a user-click attack turns into broader system compromise.

FAQ