A use-after-free vulnerability in the Chromium Compositing component has been assigned CVE-2026-11639 by Google Chrome. Microsoft Edge, being Chromium-based, inherits this flaw and has been patched via its regular Chromium ingestion process. Use-after-free bugs can allow attackers to execute arbitrary code by manipulating freed memory, making them particularly dangerous in browser contexts.

Security Architect’s Take: Ensure Microsoft Edge is updated to the latest version across all managed endpoints and virtual desktop environments — particularly relevant for Azure Virtual Desktop deployments. Validate that endpoint management policies (e.g. via Microsoft Intune) are enforcing automatic browser updates, and consider temporarily restricting Edge usage on high-risk systems until patching is confirmed.

Original advisory: Chromium: CVE-2026-11639 Use after free in Compositing

A use-after-free vulnerability (CVE-2026-11630) has been identified in the File Input component of Chromium, the open-source browser engine underpinning Microsoft Edge. Use-after-free flaws occur when a programme continues to reference memory after it has been freed, potentially allowing an attacker to execute arbitrary code. Microsoft Edge users and enterprise deployments are affected until the Chromium-based patch is applied.

Security Architect’s Take: Ensure Microsoft Edge is updated to the latest Chromium-based release across all managed endpoints and virtual desktop environments, including any Azure Virtual Desktop or Windows 365 deployments. Prioritise enforcement via Intune or Group Policy, and review browser auto-update policies to confirm they are active.

Original advisory: Chromium: CVE-2026-11630 Use after free in File Input

A use-after-free vulnerability (CVE-2026-11628) has been identified in the Ozone display platform component of Chromium. Microsoft Edge, being Chromium-based, inherits this flaw and has been patched via Google’s upstream Chromium release. Use-after-free bugs can allow attackers to execute arbitrary code by manipulating freed memory, making them potentially severe.

Security Architect’s Take: Ensure Microsoft Edge is updated to the latest Chromium-based release across all managed endpoints and virtual desktop environments, including Azure Virtual Desktop deployments. Validate that your browser update policies enforce automatic patching and consider using Microsoft Endpoint Manager or Intune to confirm compliance.

Original advisory: Chromium: CVE-2026-11628 Use after free in Ozone