🟠 High | Source: Microsoft Security Response Center
A race condition vulnerability in Microsoft Edge for Android allows an attacker to remotely execute arbitrary code on affected devices over a network, without requiring any user authentication. The flaw stems from a time-of-check time-of-use (TOCTOU) weakness, where the timing gap between a security check and its corresponding action can be exploited. This is particularly concerning for organisations where employees use Android devices to access cloud resources or corporate data through Edge.
Security Architect’s Take: Ensure mobile device management (MDM) policies enforce prompt browser updates and consider restricting access to sensitive cloud environments from unpatched Android devices until Edge is updated to the patched version. Review conditional access policies in Azure AD/Entra ID to enforce device compliance checks for mobile endpoints.
Original advisory: CVE-2026-58299 Microsoft Edge for Android Remote Code Execution Vulnerability