CVE-2024-26246: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

Overview

Severity

Low (CVSS 3.9)

CVSS Vector

CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Category

Security Feature Bypass

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2024-Mar

Released

2024-03-14

Last Updated

2024-03-15

EPSS Score

0.29% (percentile: 52.6%)

FAQ

What kind of security feature could be bypassed by successfully exploiting this vulnerability? An attacker who successfully exploited this could bypass the Edge AutoFill Protection feature According to the CVSS metric, the attack vector is physical (AV:P), user interaction is required (UI:R), and privileges required is high (PR:H). What does that mean for this vulnerability? An authorized attacker with physical access to a victim's unsecured Android phone must use the autofill feature on Edge Android to access victim's saved credentials. Microsoft Edge Channel Microsoft Edge Version Date Released Based on Chromium Version Stable 122.0.2365.92 3/14/2024 122.0.6261.128/.129 Extended Stable 122.0.2365.92 3/14/2024 122.0.6261.128/.129

Affected Products (1)

Browser

• Microsoft Edge for Android

Acknowledgments

Vlad

Revision History

• 2024-03-14: Information published.
• 2024-03-15: Updated CVE Tag. This is an informational change only.