Microsoft Edge 149.0.4022.80 Patches 28 Security Flaws, Including Edge-Specific Spoofing Bug
Microsoft has released Edge stable version 149.0.4022.80, addressing 28 documented security vulnerabilities — including one flaw tied exclusively to the browser’s own proprietary code.
The update patches 27 upstream Chromium engine flaws alongside CVE-2026-32208, a spoofing vulnerability that Microsoft’s internal security team identified independently of the open-source Chromium base.
Edge-Specific Flaw Sets This Release Apart
Microsoft Edge runs on Chromium, the open-source engine that also powers Google Chrome, meaning many security patches flow from Chrome’s upstream fixes into Edge releases.
That said, CVE-2026-32208 does not follow that pattern. Microsoft attributed that flaw directly to Edge’s proprietary features, separate from the shared engine code.
Last week, Google patched seven high-severity flaws in Chrome. Microsoft’s release absorbs those fixes and adds its own.
28 CVEs Addressed
The Chromium-sourced vulnerabilities — ranging from use-after-free bugs to out-of-bounds read errors and memory safety flaws — span CVE-2026-12437 through CVE-2026-12468, with gaps in the sequence accounting for removed duplicate entries in the original patch notes.
Use-after-free vulnerabilities allow attackers to execute arbitrary code by accessing memory after a program has freed it. Out-of-bounds read errors expose adjacent memory contents that an attacker can exploit to leak sensitive data or crash the process.
The full list of patched CVEs includes:
Edge-specific:
– CVE-2026-32208
Upstream Chromium Patches:
– CVE-2026-12437, CVE-2026-12439, CVE-2026-12440, CVE-2026-12441, CVE-2026-12443, CVE-2026-12445, CVE-2026-12446, CVE-2026-12447, CVE-2026-12449, CVE-2026-12451, CVE-2026-12452, CVE-2026-12453, CVE-2026-12454, CVE-2026-12455, CVE-2026-12456, CVE-2026-12457, CVE-2026-12458, CVE-2026-12459, CVE-2026-12460, CVE-2026-12461, CVE-2026-12462, CVE-2026-12463, CVE-2026-12464, CVE-2026-12465, CVE-2026-12466, CVE-2026-12467, CVE-2026-12468
How to Apply the Update
Users can trigger the update manually by opening Edge, clicking the three-dot menu in the upper right corner, selecting “Help and feedback,” then “About Microsoft Edge.”
The browser will check for version 149.0.4022.80, download it automatically, and prompt a restart. Users must complete the restart for the patches to take effect.
Microsoft has not publicly disclosed whether any of the 28 vulnerabilities saw active exploitation before this release.
Browser vendors typically disclose active exploitation status in their security advisories, and Microsoft maintains a rolling CVE registry at the Microsoft Security Response Center.
