CVE-2026-4680 in Microsoft Edge (Chromium-based): High-Severity Vulnerability in Routine Patch

📅 March 28, 2026 🔴 Exploit Risk: 0.352 📊 Intelligence Score: 75/100 📰 8 sources synthesized

TL;DR — Read this first

CVE-2026-4680 is a high-severity (CVSS 8.8) Use-After-Free vulnerability in Microsoft Edge, inherited from the upstream Chromium project.
CONFIRMED exploitation has not been observed. The vulnerability is not listed in CISA's KEV catalog and has a very low EPSS score (0.128%), indicating a low probability of near-term exploitation.
Apply updates to Microsoft Edge via standard patch management cycles. Emergency action is not warranted based on current intelligence.

Intelligence Metadata

First Reported Bymsrc.microsoft.com

Outbreak Velocity0 minutes to 1 unique domains

Consensus1 source across 1 unique domain (vendor advisory)

CVSS Score8.8

EPSS Score0.00128 (0.128th percentile)

CISA KEV StatusNot Listed

Exploit Risk Score0.3525

Race LabelFRESH EXPLOIT

Technical Analysis

CVE-2026-4680 is a Use-After-Free vulnerability within the Federated Credential Management (FedCM) API component of Chromium, which affects Microsoft Edge. This vulnerability is part of a cluster of memory corruption flaws disclosed by Microsoft, including a Heap buffer overflow in WebGL (CVE-2026-4675) and an Out-of-bounds read in CSS (CVE-2026-4674). The typical attack chain for such vulnerabilities involves an attacker luring a target to a specially crafted website.

Successful exploitation of these flaws could allow an attacker to corrupt memory, potentially leading to arbitrary code execution within the context of the browser's sandboxed renderer process. To achieve full system compromise, an attacker would likely need to chain this exploit with a separate sandbox escape vulnerability. The disclosure originates directly from the vendor, based on findings from the Chromium project, and lacks independent technical analysis or proof-of-concept code at this time.

Affected Systems

Vendor: Microsoft

Affected Versions:

Microsoft Edge (Chromium-based)

Exposure: Requires user interaction, such as navigating to a malicious webpage.

Blast Radius: High. Affects all users of unpatched versions of Microsoft Edge on desktop platforms.

Intelligence Context

The threat picture for CVE-2026-4680 is defined by a significant disparity between its technical severity and its immediate risk. The high CVSS score of 8.8 reflects the potential for remote code execution. However, all leading indicators of active exploitation are negative. The EPSS score is exceptionally low (0.128%), it is not listed on CISA's KEV, and the disclosure is a single-source vendor advisory. This profile is characteristic of a routine, proactive patch release ahead of any observed exploitation. For defenders, this means the vulnerability should be treated as a standard patching requirement rather than an active threat requiring emergency response. Prioritization should be based on established patch management SLAs.

Remediation & Defense

Patch within standard vulnerability management cycles. Monitor for any future reports of exploitation, which would escalate priority.

Patch Status: Available

Patch Version: Users should update to the latest version of Microsoft Edge. The browser typically updates automatically.

Workarounds:

Ensure automatic updates for Microsoft Edge are enabled and functioning.

Detection Hints:

Monitor for anomalous child process creation from msedge.exe.
Utilize EDR solutions to detect and alert on common memory corruption exploitation techniques.

Source Timeline

msrc.microsoft.com — First reporter

CVE-2026-4680 Microsoft Microsoft Edge Chromium vulnerability Use-After-Free