ニュース

「Microsoft Edge」に76件もの脆弱性、修正版のv148.0.3967.70が安定チャネルに

「Edge」固有の問題は3件、残りは「Chromium」由来

2026年5月18日 00:05

「Microsoft Edge」v148.0.3967.70

 米Microsoftは5月15日(現地時間)、デスクトップ向け「Microsoft Edge」v148.0.3967.70を安定(Stable)チャネルでリリースした。以下の76件の脆弱性が修正されている。

  • CVE-2026-8509:Heap buffer overflow in WebML(Critical)
  • CVE-2026-8510:Integer overflow in Skia(Critical)
  • CVE-2026-8511:Use after free in UI(Critical)
  • CVE-2026-8512:Use after free in FileSystem(Critical)
  • CVE-2026-8513:Use after free in Input(Critical)
  • CVE-2026-8514:Use after free in Aura(Critical)
  • CVE-2026-8515:Use after free in HID(Critical)
  • CVE-2026-8516:Insufficient validation of untrusted input in DataTransfer(Critical)
  • CVE-2026-8517:Object lifecycle issue in WebShare(Critical)
  • CVE-2026-8518:Use after free in Blink(Critical)
  • CVE-2026-8519:Integer overflow in ANGLE(Critical)
  • CVE-2026-8523:Use after free in Mojo(High)
  • CVE-2026-8524:Out of bounds write in WebAudio(High)
  • CVE-2026-8525:Heap buffer overflow in ANGLE(High)
  • CVE-2026-8526:Out of bounds write in WebRTC(High)
  • CVE-2026-8527:Insufficient validation of untrusted input in Downloads(High)
  • CVE-2026-8528:Insufficient validation of untrusted input in SiteIsolation(High)
  • CVE-2026-8529:Heap buffer overflow in Codecs(High)
  • CVE-2026-8530:Use after free in Network(High)
  • CVE-2026-8531:Heap buffer overflow in WebML(High)
  • CVE-2026-8532:Integer overflow in XML(High)
  • CVE-2026-8533:Use after free in Accessibility(High)
  • CVE-2026-8534:Integer overflow in GPU(High)
  • CVE-2026-8535:Out of bounds read in Media(High)
  • CVE-2026-8536:Insufficient validation of untrusted input in ReadingMode(High)
  • CVE-2026-8537:Insufficient policy enforcement in ViewTransitions(High)
  • CVE-2026-8538:Insufficient validation of untrusted input in GPU(High)
  • CVE-2026-8539:Script injection in SanitizerAPI(High)
  • CVE-2026-8540:Type Confusion in V8(High)
  • CVE-2026-8541:Out of bounds read in UI(High)
  • CVE-2026-8542:Use after free in Core(High)
  • CVE-2026-8543:Out of bounds read in FileSystem(High)
  • CVE-2026-8544:Use after free in Media(High)
  • CVE-2026-8545:Object corruption in Compositing(High)
  • CVE-2026-8546:Out of bounds read in GPU(High)
  • CVE-2026-8547:Insufficient policy enforcement in Passwords(High)
  • CVE-2026-8548:Out of bounds write in Media(High)
  • CVE-2026-8549:Use after free in Media(High)
  • CVE-2026-8550:Use after free in Google Lens(High)
  • CVE-2026-8551:Use after free in Downloads(High)
  • CVE-2026-8552:Heap buffer overflow in GPU(High)
  • CVE-2026-8553:Use after free in GPU(High)
  • CVE-2026-8554:Type Confusion in ANGLE(High)
  • CVE-2026-8555:Use after free in GTK(High)
  • CVE-2026-8556:Inappropriate implementation in ANGLE(High)
  • CVE-2026-8557:Use after free in Accessibility(High)
  • CVE-2026-8558:Out of bounds write in Fonts(High)
  • CVE-2026-8559:Integer overflow in Internationalization(High)
  • CVE-2026-8560:Heap buffer overflow in SwiftShader(Medium)
  • CVE-2026-8561:Incorrect security UI in Fullscreen(Medium)
  • CVE-2026-8562:Side-channel information leakage in Navigation(Medium)
  • CVE-2026-8563:Insufficient policy enforcement in IFrame Sandbox(Medium)
  • CVE-2026-8565:Inappropriate implementation in Downloads(Medium)
  • CVE-2026-8566:Insufficient policy enforcement in Payments(Medium)
  • CVE-2026-8567:Integer overflow in ANGLE(Medium)
  • CVE-2026-8568:Insufficient policy enforcement in AI(Medium)
  • CVE-2026-8569:Out of bounds write in Codecs(Medium)
  • CVE-2026-8570:Type Confusion in V8(Medium)
  • CVE-2026-8571:Insufficient policy enforcement in GPU(Medium)
  • CVE-2026-8572:Insufficient policy enforcement in Network(Medium)
  • CVE-2026-8573:Integer overflow in Codecs(Medium)
  • CVE-2026-8575:Use after free in UI(Medium)
  • CVE-2026-8576:Inappropriate implementation in CORS(Medium)
  • CVE-2026-8577:Integer overflow in Fonts(Medium)
  • CVE-2026-8578:Out of bounds read in GPU(Medium)
  • CVE-2026-8579:Insufficient validation of untrusted input in Skia(Medium)
  • CVE-2026-8580:Use after free in Mojo(Medium)
  • CVE-2026-8581:Use after free in GPU(Medium)
  • CVE-2026-8582:Object lifecycle issue in Dawn(Medium)
  • CVE-2026-8584:Inappropriate implementation in Views(Medium)
  • CVE-2026-8585:Inappropriate implementation in Media(Medium)
  • CVE-2026-8586:Inappropriate implementation in Chromoting(Medium)
  • CVE-2026-8587:Use after free in Extensions(Medium)
  • CVE-2026-45495:Remote Code Execution(Important)※
  • CVE-2026-45494:Spoofing(Moderate)※
  • CVE-2026-45492:Security Feature Bypass(Moderate)※

 このうち、最後の3件(※印)は「Edge」固有の脆弱性。それ以外はベースとなっている「Chromium」由来の欠陥で、おおむね「Google Chrome」v148.0.7778.167/168の修正と一致する(「Chrome」側で修正されたCVE-2026-8520、CVE-2026-8521、CVE-2026-8522は「Edge」に影響しない)。

 今のところ悪用の報告はないが、できるだけ早いアップデートをお勧めする。

 デスクトップ版「Microsoft Edge」はWindows/Mac/Linuxに対応しており、現在公式サイトから無償でダウンロードできる。すでに「Microsoft Edge」を利用中の場合、待っていれば自動で更新されるが、手動での更新も可能。画面右上のメニュー([…]アイコン)から[ヘルプとフィードバック]-[Microsoft Edge について]画面(edge://settings/help)へアクセスするとよい。

ツールバーに更新が案内されることもある
Amazonで購入