On June 4, 2026, the TrendAI Zero Day Initiative published advisory ZDI-26-331, revealing a directory traversal vulnerability in Microsoft Edge that leads to Remote Code Execution (RCE). The discovery itself is not the headline: patch 148.0.3967.70 has been available since May 15, 2026. The real issue is the nearly three-week gap between the patch release and coordinated disclosure—a window where millions of enterprise users browsed without awareness of the actual risk.
Cataloged as CVE-2026-45495 with CWE-35 (Path Traversal), the flaw was discovered by Orange Tsai of the DEVCORE team during Pwn2Own. Microsoft rates the vulnerability with a CVSS 3.1 score of 8.8 (HIGH) and an "Exploitation More Likely" assessment. For a browser deployed via IT policies in corporate environments, this combination transforms theoretical exposure into a measured operational risk.
- CVE-2026-45495 is a directory traversal vulnerability in the Microsoft Edge feedback log management component, with CWE-35 confirmed by the official CVE record.
- The patch was released in Edge 148.0.3967.70 on May 15, 2026; coordinated disclosure occurred on June 4, 2026, resulting in a three-week information exposure gap.
- Microsoft assigns a CVSS 3.1 score of 8.8 (HIGH) with an "Exploitation More Likely" label; TrendAI ZDI calculates a 7.5 with vector
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, diverging on the Attack Complexity parameter. - Exploitation requires user interaction (visiting a malicious page or opening a malicious file) and chaining with other primitives to achieve full RCE within the current user context.
The Mechanism: From Unvalidated Path to Browser Compromise
The flaw exists specifically in how Edge handles feedback log files. The path provided by the user—or forced by an attacker via a web page or document—is not validated before being used in file system operations. This allows for reading or writing outside the intended directory, exposing the file system to arbitrary manipulation within the browser process context.
"The specific flaw exists within the handling of feedback log files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations." — TrendAI Zero Day Initiative, advisory ZDI-26-331
Directory traversal alone does not guarantee direct RCE. As ZDI documents, "an attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current user." The threat model relies on exploit chaining: the traversal provides a file-system primitive that, when combined with other techniques within the browser sandbox or the operating system, leads to code execution. The requirement for user interaction—a click, a download, or a compromised page—makes the vector compatible with targeted phishing or watering hole attacks.
The CVSS Divergence: Why 7.5 and 8.8 for the Same Flaw
A critical technical detail for enterprise risk assessment: primary sources report conflicting CVSS scores. TrendAI ZDI assigns a 7.5 with the vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, citing High Attack Complexity (AC:H). Conversely, the official CVE Record and Microsoft MSRC advisory list an 8.8 with Low Attack Complexity (AC:L).
This discrepancy is significant. In CVSS 3.1, moving from AC:H to AC:L shifts the severity from borderline to consolidated "High," impacting patching priorities in frameworks like SSVC or VEX. While the dossier does not specify the reason for the divergence—likely differing interpretations of exploit stability or race conditions—IT administrators should adopt Microsoft’s more conservative score for update planning.
Pwn2Own, Credit, and the Disclosure Pathway
Credit for the discovery goes to Orange Tsai (@orange_8361) of the DEVCORE Research Team (@d3vc0r3), a Taiwanese researcher with a proven Pwn2Own track record. Microsoft MSRC acknowledgments confirm the collaboration: "Orange Tsai... working with TrendAI Zero Day Initiative." The report reached the vendor on May 20, 2026, yet the patch was released on May 15, 2026—a timeline suggesting Microsoft integrated the fix into its regular release cycle before the disclosure window opened.
The coordinated public advisory was set for June 4, 2026, as indicated in the ZDI structured fields. This standardized three-week delay post-patch is intended to allow for deployment, but it creates an information asymmetry: administrators not actively monitoring MSRC or lacking automated deployment were operating without knowing the "why" behind the May 15 update or its actual criticality.
Why the Patch-Disclosure Timeline is an Enterprise Problem
As the default browser for Windows 11 and a standard tool in Microsoft 365 environments, Edge's security is paramount. Microsoft’s "Exploitation More Likely" rating—explicitly cited in the MSRC—is not a generic warning; it indicates that the vendor considers the development of functional exploits technically plausible and likely underway, even without confirmed public code. For distributed workforces with staggered update cycles, this factor significantly elevates residual risk.
The May 15 to June 4 period represents a cognitive exposure window: the vulnerability was fixable but uncommunicated. Organizations with centralized update management (Stable, Extended Stable channels) likely received the fix automatically. However, those relying on manual controls, pre-deployment testing, or approval policies may still be running vulnerable versions. The bottleneck here is organizational, not technical; security depends on the speed of internal processes rather than patch availability.
Recommended Actions
- Verify deployed Edge versions: Confirm that all channels (Stable, Beta, Extended Stable) are at 148.0.3967.70 or later, released May 15, 2026, according to Microsoft MSRC.
- Review MSRC classifications: The "Exploitation More Likely" assessment for CVE-2026-45495 must be a priority factor in risk-based patching criteria.
- Audit browser update approval cycles: The patch-disclosure gap for this vulnerability highlights the cost of processes where testing blocks updates based on non-detailed changelogs.
- Monitor for phishing and drive-by indicators: The required user interaction makes this vector dependent on social engineering or the compromise of sites visited by the workforce.
Analysis: Patch Silence as a New Risk Surface
CVE-2026-45495 offers few new technical lessons—it is a standard directory traversal—but it reveals much about the geopolitics of disclosure. Microsoft patched correctly and on time; coordinated disclosure followed the script. Yet, the system produced a gray area of available but unperceived protection. For enterprises, the takeaway is not the fear of zero-days, but the need to measure their mean time to patch awareness: the time elapsed between a critical fix release and the internal realization of its criticality. In an ecosystem where Edge updates weekly, the ability to preemptively decode which changelogs hide Pwn2Own vulnerabilities—before the CVE name goes public—is the line between proactive and reactive defense.
Orange Tsai and DEVCORE demonstrated the flaw; Microsoft closed it. It remains to be seen how many enterprise systems had the vaccine installed without ever knowing they were exposed to the virus.
Information has been verified against cited sources and is current as of publication.
Sources
- http://www.zerodayinitiative.com/advisories/ZDI-26-331/
- https://www.cve.org/CVERecord?id=CVE-2026-45495
- https://www.zerodayinitiative.com/advisories/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45495
- http://nvd.nist.gov/cvss.cfm?calculator&version=3.0&vector=AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- https://www.microsoft.com/