CVE-2022-26900 – This vulnerability in Microsoft Edge (Chromium-... (How to Fix)

Q: What is the severity of CVE-2022-26900?

CVE-2022-26900 has a CVSS score of 8.3 (HIGH). This vulnerability in Microsoft Edge (Chromium-based) allows attackers to gain elevated privileges on affected systems. It affects users running vulnerable versions of Microsoft Edge on Windows systems. Successful exploitation could allow an attacker to execute arbitrary code with higher privileges than intended.

📋 TL;DR

This vulnerability in Microsoft Edge (Chromium-based) allows attackers to gain elevated privileges on affected systems. It affects users running vulnerable versions of Microsoft Edge on Windows systems. Successful exploitation could allow an attacker to execute arbitrary code with higher privileges than intended.

💻 Affected Systems

Products:

Microsoft Edge (Chromium-based)

Versions: Versions prior to 101.0.1210.32

Operating Systems: Windows 10, Windows 11, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Microsoft Edge based on Chromium, not legacy EdgeHTML-based versions.

📦 What is this software?

Edge Chromium by Microsoft

View all CVEs affecting Edge Chromium →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with administrative privileges, allowing installation of malware, data theft, and persistent access.

🟠

Likely Case

Local privilege escalation enabling attackers to bypass security controls, install unwanted software, or access restricted system resources.

🟢

If Mitigated

Limited impact due to security controls like application sandboxing, but still potential for local system manipulation.

🌐 Internet-Facing: LOW - This is primarily a local privilege escalation vulnerability requiring local access or user interaction.

🏢 Internal Only: MEDIUM - Internal attackers or malware could leverage this for privilege escalation on compromised systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access or user interaction to trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Microsoft Edge version 101.0.1210.32 or later

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26900

Restart Required: Yes

Instructions:

1. Open Microsoft Edge. 2. Click Settings (three dots) → Help and feedback → About Microsoft Edge. 3. Browser will automatically check for and install updates. 4. Restart Edge when prompted.

🔧 Temporary Workarounds

Disable Edge via Group Policy

windows

Temporarily disable Microsoft Edge usage while awaiting patch deployment

gpedit.msc → Computer Configuration → Administrative Templates → Windows Components → Microsoft Edge → Set 'Allow Microsoft Edge to start and load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed' to Disabled

🧯 If You Can't Patch

Restrict user privileges to standard user accounts to limit impact of privilege escalation
Implement application control policies to prevent unauthorized software execution

🔍 How to Verify

Check if Vulnerable:

Check Edge version: edge://settings/help - if version is below 101.0.1210.32, system is vulnerable.

Check Version:

Start Edge and navigate to edge://settings/help or check 'About Microsoft Edge' in settings

Verify Fix Applied:

Confirm Edge version is 101.0.1210.32 or higher via edge://settings/help

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing unexpected Edge process elevation
Security logs with unusual privilege changes

Network Indicators:

Unusual outbound connections from Edge processes with elevated privileges

SIEM Query:

EventID=4688 AND ProcessName LIKE '%msedge.exe%' AND NewProcessName NOT LIKE '%msedge.exe%' AND IntegrityLevel='High'

📊 Metadata

CVE ID: CVE-2022-26900

CVSS v3 Score: 8.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Published: April 5, 2022

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON