CVE-2026-40416: Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability

Overview

Severity

Medium (CVSS 4.3)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

Category

Edge - Chromium

Exploit Status

Not Exploited

Exploitation Likelihood

Unlikely

Patch Tuesday

2026-May

Released

2026-05-11

EPSS Score

0.04% (percentile: 12.9%)

Description

User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.

FAQ

What is the impact of this vulnerability? When shortening RTL characters in domains, edge will display the wrong part of the domain in the omnibox. What is the version information for this release? Microsoft Edge Version Date Released Based on Chromium Version 148.0.3967.55 05/11/2026 148.0.7778.97

Affected Products (1)

Browser

• Microsoft Edge (Chromium-based)

Acknowledgments

<a href="https://www.linkedin.com/in/jodyritonga/">Jody Ritonga</a> with test, <a href="https://www.linkedin.com/in/barathstalin/">Barath Stalin K</a>

Revision History

• 2026-05-11: Information published.