HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-58289Published Modified CNA microsoft

CVE-2026-58289: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.

Metrics

CVSS v3.1
9.0
Severity
CRITICAL
Fixed in
150.0.4078.48
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A type confusion vulnerability in Microsoft Edge (Chromium-based) allows an unauthenticated remote attacker to execute arbitrary code on affected systems. The flaw is reachable over the network with no credentials required, though exploitation involves high attack complexity due to environmental or timing conditions. Successful exploitation gives an attacker full code execution capability, with high impact to confidentiality, integrity, and availability in a scope that extends beyond the browser process itself. A patched-image rebuild at version 150.0.4078.48 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-58289 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Microsoft Edge (Chromium-based) below version 150.0.4078.48. Coverage applies to both registry scans and pipeline-integrated scans at build time.

Available
Triage

HarborGuard scores this CVE at CVSS 9.0 (Critical) and weights it against each environment's compliance policy to determine routing priority. Triage alerts are directed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at Microsoft Edge version 150.0.4078.48 becomes available through HarborGuard once the upstream fix is confirmed, eliminating the vulnerable package from affected images. For customers who opt into auto-remediation, HarborGuard runs a regression test suite against the rebuilt image and opens a pull request against affected workloads; for Critical-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the affected Edge instance over a network, as the vulnerability is exposed via a network-accessible attack vector (AV:N).

  • AuthenticationNot required

    No credentials or prior account access are needed; the attack can be launched by an unauthenticated party (PR:N).

  • Victim interactionNot required

    No user action such as clicking a link or opening a file is required to trigger the vulnerability (UI:N).

  • Attack complexityDetail

    Exploitation is rated high complexity (AC:H), meaning the attacker must account for specific environmental conditions, timing constraints, or memory layout factors to reliably trigger the type confusion.

Blast Radius

  • A successful attacker executes arbitrary code in the context of the browser process, with impact scoped beyond the browser itself due to the Changed scope (S:C) rating.
  • Confidentiality impact is high: the attacker reads sensitive data accessible to the process, including stored credentials, session tokens, and browsing history.
  • Integrity impact is high: the attacker modifies files, persisted data, or system state reachable from the compromised process.
  • Availability impact is high: the attacker crashes or fully disrupts the affected service or host processes dependent on it.

How HarborGuard Handles This

Available on HarborGuard: images containing Microsoft Edge (Chromium-based) below version 150.0.4078.48 are flagged Critical immediately upon scan. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at version 150.0.4078.48, runs a regression test suite, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation requires manual approval, the rebuilt image and test results are staged and waiting for engineer sign-off. Teams that cannot immediately update should consider network-policy controls to restrict which workloads can load or serve Edge-based content, reducing exposure while the patch is reviewed.

See how HarborGuard automates this
Affected packages
  • Microsoft / Microsoft Edge (Chromium-based)
    < 150.0.4078.48 (from 1.0.0.0)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C