Critical Vulnerability Chain Discovered in Microsoft Edge: A Deep Dive into Pwn2Own Findings
During the high-stakes environment of the Pwn2Own competition, security researcher Orange Tsai from the DEVCORE Research Team successfully demonstrated a sophisticated attack vector against Microsoft Edge. This discovery led to the disclosure of three distinct vulnerabilities—CVE-2026-45492, CVE-2026-45494, and CVE-2026-45495—that, when viewed collectively, highlight significant architectural weaknesses in how the browser handles identity, navigation, and local file operations.
Microsoft officially disclosed these flaws on June 4, 2026, and has since released critical security patches to mitigate the risks. Below is a technical breakdown of each vulnerability and its potential impact on the security posture of end-users.
Technical Breakdown of Vulnerabilities
1. CVE-2026-45492: Origin Validation Failure in Cross-Device Sign-In
The first vulnerability, identified as ZDI-26-329, carries a CVSS score of 4.3. This flaw exists within the logic governing Edge’s cross-device managed sign-in mechanism. Technically, the issue arises from an insufficient validation of the request origin during the authentication handshake between devices.
By bypassing these origin checks, a remote attacker can trick the browser into accessing restricted functionality that should be isolated to authenticated sessions. While this specific flaw does not inherently grant access to sensitive data, its true danger lies in its role as an “entry point” vulnerability. An attacker can use this bypass to facilitate subsequent attacks, effectively lowering the barrier for more complex exploit chains. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) underscores that while it requires user interaction (visiting a malicious site), the attack complexity is low.
2. CVE-2026-45494: Universal Cross-Site Scripting (UXSS) via Navigation Logic
The second flaw, tracked as ZDI-26-330, is a Universal Cross-Site Scripting (UXSS) vulnerability with a CVSS score of 5.0. Unlike standard XSS, which targets a specific site, this vulnerability resides in the fundamental navigation-handling logic of the Edge engine.
Due to improper sanitization of user-supplied data during URL transitions, an attacker can inject arbitrary JavaScript that executes within the security context of any domain the user is currently visiting. This effectively breaks the Same-Origin Policy (SOP), the cornerstone of web security. In an enterprise setting, this is particularly perilous; an attacker could potentially hijack sessions or steal credentials from highly sensitive internal web applications by exploiting the trusted context of the user’s browser navigation.
3. CVE-2026-45495: Directory Traversal Leading to Remote Code Execution (RCE)
The most critical of the triad is CVE-2026-45495 (ZDI-26-331), which carries a high CVSS rating of 7.5. This is a directory traversal vulnerability located within the component responsible for processing Edge’s feedback log files.
The root cause is a failure to properly validate and sanitize file paths provided by the user before the browser performs file system operations. By using “dot-dot-slash” (../) sequences, an attacker can escape the intended log directory and interact with unauthorized areas of the local file system. When chained with the previous two vulnerabilities, this flaw provides a direct path to Remote Code Execution (RCE), allowing an attacker to run malicious code with the privileges of the logged-in user. This represents a total compromise of the confidentiality, integrity, and availability (CIA) of the affected system.
Remediation and Defense
These vulnerabilities were reported to the Microsoft Security Response Center (MSRC) on May 20, 2026. Following a coordinated disclosure through the Zero Day Initiative, Microsoft has deployed patches to address all three vulnerabilities.
Action Required: To defend against these exploits, administrators and individual users must ensure that Microsoft Edge is updated to the latest available version immediately. Because these attacks can be initiated through simple web navigation, maintaining a patched environment is the most effective defense against this specific exploit chain.