A use-after-free vulnerability (CVE-2026-11642) has been identified in the Web Apps component of Chromium, the open-source engine underpinning Microsoft Edge. Use-after-free flaws occur when a programme continues to reference memory after it has been freed, which can allow an attacker to execute arbitrary code. Microsoft Edge inherits this fix via its Chromium ingestion pipeline, and users should update to the patched version promptly.

Security Architect’s Take: Ensure Microsoft Edge is updated to the latest version across all managed endpoints and virtual desktop environments, particularly where Edge is deployed within Azure Virtual Desktop or Windows 365 workloads. Consider enforcing browser update policies via Microsoft Intune or Group Policy to reduce the window of exposure for Chromium-based vulnerabilities.

Original advisory: Chromium: CVE-2026-11642 Use after free in Web Apps

A use-after-free vulnerability in the Bluetooth component of the Chromium engine (CVE-2026-11641) has been patched by Google and is being ingested into Microsoft Edge. Use-after-free flaws occur when a programme continues to use memory after freeing it, potentially allowing an attacker to execute arbitrary code. Although assigned under the Azure/Microsoft advisory, the root cause lies in Chromium and affects any Chromium-based browser, including Edge.

Security Architect’s Take: Ensure Microsoft Edge deployments across your organisation are updated to the latest version as soon as the patched build is available; where Edge is used on Azure Virtual Desktop or enterprise endpoints, prioritise patch validation and consider enforcing browser version controls via Intune or Group Policy to limit exposure.

Original advisory: Chromium: CVE-2026-11641 Use after free in Bluetooth

A integer overflow vulnerability (CVE-2026-11640) has been identified in libyuv, a library used within the Chromium engine that underpins Microsoft Edge. Integer overflow flaws can potentially be exploited to cause unexpected behaviour, memory corruption, or arbitrary code execution. Microsoft Edge receives this fix via its Chromium ingestion pipeline, so updating Edge addresses the issue.

Security Architect’s Take: Ensure Microsoft Edge is updated to the latest Chromium-based release across all managed endpoints and virtual desktop infrastructure, including Azure Virtual Desktop environments. Validate that your endpoint management tooling (e.g. Intune or SCCM) has deployed the patch and consider enforcing browser version compliance policies.

Original advisory: Chromium: CVE-2026-11640 Integer overflow in libyuv

A use-after-free vulnerability in the Chromium Compositing component has been assigned CVE-2026-11639 by Google Chrome. Microsoft Edge, being Chromium-based, inherits this flaw and has been patched via its regular Chromium ingestion process. Use-after-free bugs can allow attackers to execute arbitrary code by manipulating freed memory, making them particularly dangerous in browser contexts.

Security Architect’s Take: Ensure Microsoft Edge is updated to the latest version across all managed endpoints and virtual desktop environments — particularly relevant for Azure Virtual Desktop deployments. Validate that endpoint management policies (e.g. via Microsoft Intune) are enforcing automatic browser updates, and consider temporarily restricting Edge usage on high-risk systems until patching is confirmed.

Original advisory: Chromium: CVE-2026-11639 Use after free in Compositing

A use-after-free vulnerability (CVE-2026-11638) has been identified in the Printing component of Chromium, the open-source browser engine underpinning Microsoft Edge. Use-after-free flaws occur when a programme continues to reference memory after it has been freed, potentially allowing an attacker to execute arbitrary code. This vulnerability affects Microsoft Edge (Chromium-based) and has been addressed upstream by Google Chrome.

Security Architect’s Take: Ensure Microsoft Edge is updated to the latest patched version across all managed endpoints and virtual desktop environments — pay particular attention to Azure Virtual Desktop and any browser-based access solutions. Consider enforcing browser version compliance via Intune or equivalent MDM policy to reduce exposure windows.

Original advisory: Chromium: CVE-2026-11638 Use after free in Printing

A use-after-free vulnerability (CVE-2026-11637) has been identified in the Chromium Views component, affecting Microsoft Edge as it is built on the Chromium engine. Use-after-free flaws can allow attackers to execute arbitrary code by manipulating freed memory, potentially compromising the affected browser. Microsoft is tracking the fix via Google’s upstream Chromium release.

Security Architect’s Take: Ensure Microsoft Edge is updated to the latest stable release across your organisation’s managed endpoints, as the fix originates from the Chromium project. If you use browser-based access to Azure portals or cloud management consoles, prioritise patching Edge on privileged workstations first.

Original advisory: Chromium: CVE-2026-11637 Use after free in Views

A use-after-free vulnerability in Chromium’s Autofill component has been assigned CVE-2026-11636 by Google. Microsoft Edge, being Chromium-based, is affected and has ingested the upstream fix from Chrome. Use-after-free flaws can allow attackers to execute arbitrary code by manipulating freed memory, making them potentially serious if exploited via a malicious webpage.

Security Architect’s Take: Ensure Microsoft Edge is updated to the latest stable release across your organisation’s endpoints and virtual desktop infrastructure, including Azure Virtual Desktop environments. Verify endpoint management policies (e.g. via Intune or group policy) are enforcing automatic browser updates without delay.

Original advisory: Chromium: CVE-2026-11636 Use after free in Autofill

A use-after-free vulnerability in the Chromium Bluetooth component has been assigned CVE-2026-11635 by the Chrome team. Microsoft Edge, being Chromium-based, is affected and has ingested the upstream fix from Google. Use-after-free flaws can allow attackers to execute arbitrary code by manipulating freed memory, making this a serious concern for end-user and enterprise browser security.

Security Architect’s Take: Ensure Microsoft Edge is updated to the latest stable release that includes the patched Chromium build, and verify that your organisation’s browser update policies enforce automatic updates. If Edge is deployed on Azure Virtual Desktop or corporate endpoints, prioritise rollout through Intune or your endpoint management tooling immediately.

Original advisory: Chromium: CVE-2026-11635 Use after free in Bluetooth

A use-after-free vulnerability (CVE-2026-11634) has been identified in the Gamepad component of the Chromium browser engine. Because Microsoft Edge is built on Chromium, it inherits this flaw and requires patching. Use-after-free bugs can allow attackers to execute arbitrary code or destabilise the browser by manipulating freed memory.

Security Architect’s Take: Ensure Microsoft Edge is updated to the latest stable release across all managed endpoints and virtual desktop environments — pay particular attention to Azure Virtual Desktop and Dev Box deployments where browser updates may lag behind. Validate that your endpoint management policies (e.g. Intune) are enforcing automatic Edge updates.

Original advisory: Chromium: CVE-2026-11634 Use after free in Gamepad

A use-after-free vulnerability in the Bluetooth component of the Chromium browser engine has been assigned CVE-2026-11633. Microsoft Edge, which is built on Chromium, is affected and has ingested Google’s upstream fix. Use-after-free flaws can allow attackers to execute arbitrary code by manipulating freed memory, potentially compromising the user’s machine.

Security Architect’s Take: Ensure Microsoft Edge is updated to the latest stable release across your enterprise estate, prioritising devices with Bluetooth enabled. Consider enforcing browser version compliance via Intune or your endpoint management tooling, and review whether Edge auto-update policies are active for managed endpoints.

Original advisory: Chromium: CVE-2026-11633 Use after free in Bluetooth

A use-after-free vulnerability (CVE-2026-11632) has been identified in the TabStrip component of the Chromium browser engine. Microsoft Edge, being Chromium-based, inherits this flaw and requires patching via a Chromium upstream fix. Use-after-free bugs can allow attackers to execute arbitrary code by manipulating freed memory, potentially compromising the user’s system.

Security Architect’s Take: Ensure Microsoft Edge is updated to the latest version across all managed endpoints and virtual desktop environments, including Azure Virtual Desktop deployments. Enforce browser update policies via Intune or Group Policy, and consider restricting Edge usage in privileged-access workstations until the patch is confirmed deployed.

Original advisory: Chromium: CVE-2026-11632 Use after free in TabStrip

A use-after-free vulnerability (CVE-2026-11631) has been identified in the Aura windowing framework within the Chromium engine. Microsoft Edge, being Chromium-based, is affected and has ingested the upstream fix from Google Chrome. Use-after-free flaws can allow attackers to execute arbitrary code by manipulating freed memory, making them potentially serious if exploited via a malicious webpage.

Security Architect’s Take: Ensure Microsoft Edge is updated to the latest stable release across all managed endpoints and virtual desktop environments, including Azure Virtual Desktop deployments. Verify that browser update policies are enforced via Intune or Group Policy, and consider temporarily restricting access to untrusted web content on sensitive workstations until patching is confirmed.

Original advisory: Chromium: CVE-2026-11631 Use after free in Aura

A use-after-free vulnerability (CVE-2026-11630) has been identified in the File Input component of Chromium, the open-source browser engine underpinning Microsoft Edge. Use-after-free flaws occur when a programme continues to reference memory after it has been freed, potentially allowing an attacker to execute arbitrary code. Microsoft Edge users and enterprise deployments are affected until the Chromium-based patch is applied.

Security Architect’s Take: Ensure Microsoft Edge is updated to the latest Chromium-based release across all managed endpoints and virtual desktop environments, including any Azure Virtual Desktop or Windows 365 deployments. Prioritise enforcement via Intune or Group Policy, and review browser auto-update policies to confirm they are active.

Original advisory: Chromium: CVE-2026-11630 Use after free in File Input

A use-after-free vulnerability (CVE-2026-11629) has been identified in the Ozone windowing framework within the Chromium engine. Microsoft Edge, being Chromium-based, is affected and has ingested the fix from Google Chrome. Use-after-free flaws can allow attackers to execute arbitrary code by manipulating freed memory, potentially compromising the browser and the underlying system.

Security Architect’s Take: Ensure Microsoft Edge is updated to the latest Chromium-based release across all managed endpoints and virtual desktop environments, including Azure Virtual Desktop. Prioritise patching for any users accessing sensitive cloud consoles or internal tooling via Edge.

Original advisory: Chromium: CVE-2026-11629 Use after free in Ozone

A use-after-free vulnerability (CVE-2026-11628) has been identified in the Ozone display platform component of Chromium. Microsoft Edge, being Chromium-based, inherits this flaw and has been patched via Google’s upstream Chromium release. Use-after-free bugs can allow attackers to execute arbitrary code by manipulating freed memory, making them potentially severe.

Security Architect’s Take: Ensure Microsoft Edge is updated to the latest Chromium-based release across all managed endpoints and virtual desktop environments, including Azure Virtual Desktop deployments. Validate that your browser update policies enforce automatic patching and consider using Microsoft Endpoint Manager or Intune to confirm compliance.

Original advisory: Chromium: CVE-2026-11628 Use after free in Ozone

A out-of-bounds write vulnerability has been identified in the Codecs component of Chromium, tracked as CVE-2026-12019. Microsoft Edge inherits this flaw due to its Chromium-based architecture. Out-of-bounds write vulnerabilities can allow attackers to corrupt memory and potentially execute arbitrary code, making this a serious concern for organisations using Edge in corporate environments.

Security Architect’s Take: Ensure Microsoft Edge is updated to the latest stable release as soon as a patched version is available, and prioritise this across managed endpoints via Intune or your preferred patch management tooling. If Edge is deployed in Azure Virtual Desktop or used to access cloud management portals, treat this as elevated risk and expedite deployment.

Original advisory: Chromium: CVE-2026-12019 Out of bounds write  Codecs

CVE-2026-12016 is a vulnerability in Chromium’s DevTools component involving insufficient validation of untrusted input. Microsoft Edge (Chromium-based) is affected as it inherits this flaw from the upstream Chromium project. Google has issued a fix via Chrome Desktop Updates, and Microsoft is consuming that patch into Edge.

Security Architect’s Take: Ensure Microsoft Edge is updated to the latest version across all managed endpoints and virtual desktop environments, particularly where users access cloud consoles or DevTools in browser-based workflows. Enforce browser update policies via Intune or Group Policy to minimise exposure windows.

Original advisory: Chromium: CVE-2026-12016 Insufficient validation of untrusted input  DevTools

A use-after-free vulnerability (CVE-2026-12015) has been identified in the Autofill component of Chromium, the open-source browser engine underpinning Microsoft Edge. Use-after-free flaws occur when a programme continues to reference memory after it has been freed, potentially allowing an attacker to execute arbitrary code. Microsoft Edge inherits this vulnerability from Chromium and is addressed via Google’s upstream patch.

Security Architect’s Take: Ensure Microsoft Edge is updated to the latest stable release across all managed endpoints and virtual desktop environments, including Azure Virtual Desktop and Windows 365 deployments. Validate that your browser update policies via Intune or Group Policy are enforcing timely Chromium-based Edge updates, particularly for privileged users accessing cloud management consoles.

Original advisory: Chromium: CVE-2026-12015 Use after free  Autofill

CVE-2026-12012 is a use-after-free vulnerability in the Network component of Chromium, the open-source browser engine underpinning Microsoft Edge. Use-after-free flaws occur when a programme continues to use memory after it has been freed, potentially allowing an attacker to execute arbitrary code. Microsoft Edge inherits this vulnerability from Chromium and is addressed via Google’s upstream patch.

Security Architect’s Take: Ensure Microsoft Edge is updated to the latest version across all managed endpoints and virtual desktop environments — prioritise any Azure Virtual Desktop or Windows 365 deployments where browser-based access to cloud resources is common. Verify your endpoint management tooling (e.g. Intune) is enforcing the patched Edge build.

Original advisory: Chromium: CVE-2026-12012 Use after free  Network

A use-after-free vulnerability (CVE-2026-12008) has been identified in the Chromium DigitalCredentials component, affecting Microsoft Edge due to its Chromium-based architecture. Use-after-free flaws occur when a programme continues to reference memory after it has been freed, potentially allowing an attacker to execute arbitrary code. This is particularly relevant in browser-based environments where users access cloud management portals and sensitive web applications.

Security Architect’s Take: Ensure Microsoft Edge is updated to the latest stable release as soon as Microsoft publishes a patched build ingesting the fixed Chromium version; consider enforcing browser version compliance via Intune or Group Policy to reduce exposure across managed endpoints accessing Azure portals and cloud consoles.

Original advisory: Chromium: CVE-2026-12008 Use after free  DigitalCredentials