🟠 High  |  Source: Microsoft Security Response Center


A use-after-free vulnerability (CVE-2026-15905) has been identified in the Aura windowing framework within the Chromium engine. Because Microsoft Edge is built on Chromium, it inherits this flaw, which could allow an attacker to execute arbitrary code or cause a crash by manipulating freed memory. Google has issued a fix via Chrome Releases, and Microsoft Edge will incorporate the patch through its standard Chromium ingestion process.

Security Architect’s Take: Ensure Microsoft Edge is updated to the latest version across all managed endpoints and virtual desktop environments — particularly where Edge is used within Azure Virtual Desktop or Windows 365 deployments. Validate that your patch management tooling is picking up Edge updates promptly, as use-after-free vulnerabilities in browsers are frequently targeted by exploit kits.

Original advisory: Chromium: CVE-2026-15905 Use after free in Aura