🟠 High | Source: Microsoft Security Response Center
CVE-2026-13021 is a vulnerability in Chromium’s DeviceBoundSessionCredentials feature, involving an inappropriate implementation that could be exploited via a malicious website. Because Microsoft Edge is built on Chromium, it inherits this flaw and requires patching through a Chromium update. Google has addressed this in Chrome, and Microsoft Edge users should ensure they are running the latest version.
Security Architect’s Take: Ensure all managed endpoints running Microsoft Edge (or Chrome) are updated to the latest Chromium-based release via your endpoint management tooling (e.g. Intune, WSUS, or your browser deployment pipeline). Pay particular attention to enterprise environments where DeviceBoundSessionCredentials may be in use for workload or user authentication flows.
Original advisory: Chromium: CVE-2026-13021 Inappropriate implementation in DeviceBoundSessionCredentials