Microsoft-Edge

🟠 High | Source: Microsoft Security Response Center A use-after-free vulnerability (CVE-2026-11642) has been identified in the Web Apps component of Chromium, the open-source engine underpinning Microsoft Edge. Use-after-free flaws occur when a programme continues to reference memory after it has been freed, which can allow an attacker to execute arbitrary code. Microsoft Edge inherits this fix via its Chromium ingestion pipeline, and users should update to the patched version promptly. ...

🟠 High | Source: Microsoft Security Response Center A use-after-free vulnerability in the Bluetooth component of the Chromium engine (CVE-2026-11641) has been patched by Google and is being ingested into Microsoft Edge. Use-after-free flaws occur when a programme continues to use memory after freeing it, potentially allowing an attacker to execute arbitrary code. Although assigned under the Azure/Microsoft advisory, the root cause lies in Chromium and affects any Chromium-based browser, including Edge. ...

🟠 High | Source: Microsoft Security Response Center A integer overflow vulnerability (CVE-2026-11640) has been identified in libyuv, a library used within the Chromium engine that underpins Microsoft Edge. Integer overflow flaws can potentially be exploited to cause unexpected behaviour, memory corruption, or arbitrary code execution. Microsoft Edge receives this fix via its Chromium ingestion pipeline, so updating Edge addresses the issue. Security Architect’s Take: Ensure Microsoft Edge is updated to the latest Chromium-based release across all managed endpoints and virtual desktop infrastructure, including Azure Virtual Desktop environments. Validate that your endpoint management tooling (e.g. Intune or SCCM) has deployed the patch and consider enforcing browser version compliance policies. ...

🟠 High | Source: Microsoft Security Response Center A use-after-free vulnerability in the Chromium Compositing component has been assigned CVE-2026-11639 by Google Chrome. Microsoft Edge, being Chromium-based, inherits this flaw and has been patched via its regular Chromium ingestion process. Use-after-free bugs can allow attackers to execute arbitrary code by manipulating freed memory, making them particularly dangerous in browser contexts. Security Architect’s Take: Ensure Microsoft Edge is updated to the latest version across all managed endpoints and virtual desktop environments — particularly relevant for Azure Virtual Desktop deployments. Validate that endpoint management policies (e.g. via Microsoft Intune) are enforcing automatic browser updates, and consider temporarily restricting Edge usage on high-risk systems until patching is confirmed. ...

🟠 High | Source: Microsoft Security Response Center A use-after-free vulnerability (CVE-2026-11638) has been identified in the Printing component of Chromium, the open-source browser engine underpinning Microsoft Edge. Use-after-free flaws occur when a programme continues to reference memory after it has been freed, potentially allowing an attacker to execute arbitrary code. This vulnerability affects Microsoft Edge (Chromium-based) and has been addressed upstream by Google Chrome. Security Architect’s Take: Ensure Microsoft Edge is updated to the latest patched version across all managed endpoints and virtual desktop environments — pay particular attention to Azure Virtual Desktop and any browser-based access solutions. Consider enforcing browser version compliance via Intune or equivalent MDM policy to reduce exposure windows. ...

🟠 High | Source: Microsoft Security Response Center A use-after-free vulnerability (CVE-2026-11637) has been identified in the Chromium Views component, affecting Microsoft Edge as it is built on the Chromium engine. Use-after-free flaws can allow attackers to execute arbitrary code by manipulating freed memory, potentially compromising the affected browser. Microsoft is tracking the fix via Google’s upstream Chromium release. Security Architect’s Take: Ensure Microsoft Edge is updated to the latest stable release across your organisation’s managed endpoints, as the fix originates from the Chromium project. If you use browser-based access to Azure portals or cloud management consoles, prioritise patching Edge on privileged workstations first. ...

🟠 High | Source: Microsoft Security Response Center A use-after-free vulnerability in Chromium’s Autofill component has been assigned CVE-2026-11636 by Google. Microsoft Edge, being Chromium-based, is affected and has ingested the upstream fix from Chrome. Use-after-free flaws can allow attackers to execute arbitrary code by manipulating freed memory, making them potentially serious if exploited via a malicious webpage. Security Architect’s Take: Ensure Microsoft Edge is updated to the latest stable release across your organisation’s endpoints and virtual desktop infrastructure, including Azure Virtual Desktop environments. Verify endpoint management policies (e.g. via Intune or group policy) are enforcing automatic browser updates without delay. ...

🟠 High | Source: Microsoft Security Response Center A use-after-free vulnerability in the Chromium Bluetooth component has been assigned CVE-2026-11635 by the Chrome team. Microsoft Edge, being Chromium-based, is affected and has ingested the upstream fix from Google. Use-after-free flaws can allow attackers to execute arbitrary code by manipulating freed memory, making this a serious concern for end-user and enterprise browser security. Security Architect’s Take: Ensure Microsoft Edge is updated to the latest stable release that includes the patched Chromium build, and verify that your organisation’s browser update policies enforce automatic updates. If Edge is deployed on Azure Virtual Desktop or corporate endpoints, prioritise rollout through Intune or your endpoint management tooling immediately. ...

🟠 High | Source: Microsoft Security Response Center A use-after-free vulnerability (CVE-2026-11634) has been identified in the Gamepad component of the Chromium browser engine. Because Microsoft Edge is built on Chromium, it inherits this flaw and requires patching. Use-after-free bugs can allow attackers to execute arbitrary code or destabilise the browser by manipulating freed memory. Security Architect’s Take: Ensure Microsoft Edge is updated to the latest stable release across all managed endpoints and virtual desktop environments — pay particular attention to Azure Virtual Desktop and Dev Box deployments where browser updates may lag behind. Validate that your endpoint management policies (e.g. Intune) are enforcing automatic Edge updates. ...

🟠 High | Source: Microsoft Security Response Center A use-after-free vulnerability in the Bluetooth component of the Chromium browser engine has been assigned CVE-2026-11633. Microsoft Edge, which is built on Chromium, is affected and has ingested Google’s upstream fix. Use-after-free flaws can allow attackers to execute arbitrary code by manipulating freed memory, potentially compromising the user’s machine. Security Architect’s Take: Ensure Microsoft Edge is updated to the latest stable release across your enterprise estate, prioritising devices with Bluetooth enabled. Consider enforcing browser version compliance via Intune or your endpoint management tooling, and review whether Edge auto-update policies are active for managed endpoints. ...