Microsoft disclosed CVE-2026-42838, an elevation of privilege flaw in Chromium-based Microsoft Edge caused by improper neutralization of special elements in output used by a downstream component (CWE-74). The company rated the issue Moderate with a CVSS 3.1 score of 5.4, stating that exploitation requires user interaction, can be launched over the network with low attack complexity, and would give an attacker the same rights as the user running the browser. Microsoft said the vulnerability was not publicly disclosed, not exploited in the wild, and less likely to be exploited at the time of publication.
A fix was released in Microsoft Edge version 148.0.3967.55, based on Chromium 148.0.7778.97. The disclosure follows a long pattern of Microsoft Edge privilege-escalation advisories, including earlier CVEs such as CVE-2022-26895, CVE-2022-23262, CVE-2022-26908, CVE-2022-26894, CVE-2022-26900, CVE-2022-44708, CVE-2022-21954, CVE-2022-21970, CVE-2021-34475, CVE-2022-33680, and CVE-2022-26909, underscoring the recurring need to keep Edge updated to the latest security release.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
7 events from the most recent confirmed update back to the earliest known activity.
Microsoft disclosed CVE-2026-42838, a moderate-severity Chromium-based Edge elevation of privilege flaw caused by improper neutralization of special elements in output used by a downstream component. Microsoft said the issue was neither publicly disclosed nor exploited in the wild at publication and released a fix in Edge version 148.0.3967.55 based on Chromium 148.0.7778.97.
Microsoft published a Security Update Guide entry for CVE-2022-33680, an elevation of privilege vulnerability in Chromium-based Microsoft Edge.
Microsoft published a Security Update Guide entry for CVE-2022-44708, identifying an elevation of privilege vulnerability in Chromium-based Microsoft Edge.
Microsoft published a Security Update Guide entry for CVE-2022-23262, another elevation of privilege vulnerability in Chromium-based Microsoft Edge.
Microsoft published Security Update Guide entries for CVE-2022-21954 and CVE-2022-21970 affecting Chromium-based Microsoft Edge. The CVE-2022-21954 entry appears in both the MSRC portal and product advisories and is treated as a single disclosure event.
Microsoft published Security Update Guide entries for several Chromium-based Microsoft Edge elevation of privilege flaws: CVE-2022-26894, CVE-2022-26895, CVE-2022-26900, CVE-2022-26908, and CVE-2022-26909.
Microsoft published a Security Update Guide entry for CVE-2021-34475, an elevation of privilege vulnerability affecting Chromium-based Microsoft Edge.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
14 references tracked. Mallory keeps watching after this page renders.
msrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourceportal.msrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.