CVE-2026-58289: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.
Metrics
- CVSS v3.1
- 9.0
- Severity
- CRITICAL
- Fixed in
- 150.0.4078.48
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A type confusion vulnerability in Microsoft Edge (Chromium-based) allows an unauthenticated remote attacker to execute arbitrary code on affected systems. The flaw is reachable over the network with no credentials required, though exploitation involves high attack complexity due to environmental or timing conditions. Successful exploitation gives an attacker full code execution capability, with high impact to confidentiality, integrity, and availability in a scope that extends beyond the browser process itself. A patched-image rebuild at version 150.0.4078.48 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: CVE-2026-58289 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Microsoft Edge (Chromium-based) below version 150.0.4078.48. Coverage applies to both registry scans and pipeline-integrated scans at build time.
AvailableHarborGuard scores this CVE at CVSS 9.0 (Critical) and weights it against each environment's compliance policy to determine routing priority. Triage alerts are directed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.
AvailableA patched-image rebuild at Microsoft Edge version 150.0.4078.48 becomes available through HarborGuard once the upstream fix is confirmed, eliminating the vulnerable package from affected images. For customers who opt into auto-remediation, HarborGuard runs a regression test suite against the rebuilt image and opens a pull request against affected workloads; for Critical-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the affected Edge instance over a network, as the vulnerability is exposed via a network-accessible attack vector (AV:N).
- AuthenticationNot required
No credentials or prior account access are needed; the attack can be launched by an unauthenticated party (PR:N).
- Victim interactionNot required
No user action such as clicking a link or opening a file is required to trigger the vulnerability (UI:N).
- Attack complexityDetail
Exploitation is rated high complexity (AC:H), meaning the attacker must account for specific environmental conditions, timing constraints, or memory layout factors to reliably trigger the type confusion.
Blast Radius
- A successful attacker executes arbitrary code in the context of the browser process, with impact scoped beyond the browser itself due to the Changed scope (S:C) rating.
- Confidentiality impact is high: the attacker reads sensitive data accessible to the process, including stored credentials, session tokens, and browsing history.
- Integrity impact is high: the attacker modifies files, persisted data, or system state reachable from the compromised process.
- Availability impact is high: the attacker crashes or fully disrupts the affected service or host processes dependent on it.
How HarborGuard Handles This
Available on HarborGuard: images containing Microsoft Edge (Chromium-based) below version 150.0.4078.48 are flagged Critical immediately upon scan. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at version 150.0.4078.48, runs a regression test suite, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation requires manual approval, the rebuilt image and test results are staged and waiting for engineer sign-off. Teams that cannot immediately update should consider network-policy controls to restrict which workloads can load or serve Edge-based content, reducing exposure while the patch is reviewed.
Fix available
- Microsoft / Microsoft Edge (Chromium-based)< 150.0.4078.48 (from 1.0.0.0)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C