Login Sign Up

CVE-2023-36741

8.3 HIGH

📋 TL;DR

This vulnerability in Microsoft Edge (Chromium-based) allows attackers to gain elevated privileges on affected systems. It affects users running vulnerable versions of Microsoft Edge on Windows systems. Successful exploitation could lead to arbitrary code execution with higher privileges than intended.

💻 Affected Systems

Products:
  • Microsoft Edge (Chromium-based)
Versions: Versions prior to 116.0.1938.69
Operating Systems: Windows 10, Windows 11, Windows Server 2019, Windows Server 2022
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Chromium-based Microsoft Edge, not legacy EdgeHTML-based versions. Requires user interaction or local access.

📦 What is this software?

Edge Chromium by Microsoft

View all CVEs affecting Edge Chromium →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM-level privileges, allowing installation of persistent malware, data theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install unwanted software, or access restricted system resources.

🟢

If Mitigated

Limited impact due to proper patch management and security controls, potentially resulting in failed exploitation attempts.

🌐 Internet-Facing: LOW - This is primarily a local privilege escalation vulnerability requiring local access or user interaction.
🏢 Internal Only: MEDIUM - Malicious insiders or compromised accounts could exploit this to escalate privileges within the environment.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access or user interaction. No public exploit code has been disclosed as of current knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Microsoft Edge version 116.0.1938.69 and later

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36741

Restart Required: Yes

Instructions:

1. Open Microsoft Edge. 2. Click Settings (three dots) → Help and feedback → About Microsoft Edge. 3. Browser will automatically check for updates and install if available. 4. Restart Edge when prompted.

🔧 Temporary Workarounds

Disable Microsoft Edge

windows

Temporarily disable Microsoft Edge as default browser while awaiting patch deployment

Use alternative browser

all

Switch to alternative browser until Edge is patched

🧯 If You Can't Patch

  • Restrict local user privileges to minimize impact of privilege escalation
  • Implement application whitelisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check Microsoft Edge version: edge://settings/help or edge://version

Check Version:

msedge --version (Windows) or check edge://version in browser

Verify Fix Applied:

Verify version is 116.0.1938.69 or higher in edge://settings/help

📡 Detection & Monitoring

Log Indicators:

  • Unusual Edge process spawning with elevated privileges
  • Edge crash reports with suspicious memory patterns

Network Indicators:

  • Unusual outbound connections from Edge processes with elevated privileges

SIEM Query:

Process Creation where (Image contains 'msedge.exe' and IntegrityLevel contains 'High' or 'System')

📊 Metadata

CVE ID: CVE-2023-36741
CVSS v3 Score: 8.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-416
Published: August 26, 2023
Last Updated: January 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36741, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)