ニュース

「Microsoft Edge」v150.0.4078.65が公開、143件もの脆弱性を修正

深刻度「緊急」は9件

「Microsoft Edge」v150.0.4078.65が展開中

 米Microsoftは7月9日(現地時間、以下同)、デスクトップ向け「Microsoft Edge」v150.0.4078.65を安定(Stable)チャネルでリリースした。11~12日にかけて、計143件の脆弱性修正が発表されている。

 このうち141件は、「Chromium」に由来するもの。深刻度は4段階中もっとも高い「Critical」(緊急)が9件、2番目に高い「High」(重要)が45件、「Medium」(警告)が66件、「Low」(注意)が21件。解放済みメモリの参照(Use after free)や境界外読み取り(Out of bounds read)など、メモリ安全性に関わる不具合が多くを占める。

  • CVE-2026-13777:Insufficient validation of untrusted input in iOSWeb(Critical)
  • CVE-2026-13778:Use after free in WebUSB(Critical)
  • CVE-2026-13785:Use after free in Bluetooth(Critical)
  • CVE-2026-13788:Use after free in Fullscreen(Critical)
  • CVE-2026-14398:Use after free in ANGLE(Critical)
  • CVE-2026-14417:Use after free in Dawn(Critical)
  • CVE-2026-14419:Use after free in Skia(Critical)
  • CVE-2026-14420:Out of bounds read and write in Dawn(Critical)
  • CVE-2026-14427:Heap buffer overflow in Skia(Critical)
  • CVE-2026-13791:Insufficient validation of untrusted input in Downloads(High)
  • CVE-2026-13792:Use after free in Touchbar(High)
  • CVE-2026-13795:Insufficient policy enforcement in Chrome for iOS(High)
  • CVE-2026-13805:Use after free in GFX(High)
  • CVE-2026-13807:Use after free in Import(High)
  • CVE-2026-13808:Insufficient data validation in Chrome for iOS(High)
  • CVE-2026-13809:Side-channel information leakage in Safe Browsing(High)
  • CVE-2026-13812:Insufficient validation of untrusted input in Chrome for iOS(High)
  • CVE-2026-13813:Insufficient validation of untrusted input in Chrome for iOS(High)
  • CVE-2026-13816:Insufficient validation of untrusted input in File Input(High)
  • CVE-2026-13819:Out of bounds read in ANGLE(High)
  • CVE-2026-13822:Inappropriate implementation in Extensions(High)
  • CVE-2026-13825:Uninitialized Use in Dawn(High)
  • CVE-2026-13826:Inappropriate implementation in Autofill(High)
  • CVE-2026-13827:Use after free in Updater(High)
  • CVE-2026-13833:Uninitialized Use in ANGLE(High)
  • CVE-2026-13842:Incorrect security UI in Chrome for iOS(High)
  • CVE-2026-13843:Insufficient validation of untrusted input in Chrome for iOS(High)
  • CVE-2026-13846:Use after free in USB(High)
  • CVE-2026-13847:Insufficient validation of untrusted input in Chrome for iOS(High)
  • CVE-2026-13850:Insufficient validation of untrusted input in Chrome for iOS(High)
  • CVE-2026-13851:Insufficient validation of untrusted input in WebAppInstalls(High)
  • CVE-2026-13852:Insufficient validation of untrusted input in WebAppInstalls(High)
  • CVE-2026-14382:Insufficient validation of untrusted input in ANGLE(High)
  • CVE-2026-14385:Heap buffer overflow in ANGLE(High)
  • CVE-2026-14386:Out of bounds read in ANGLE(High)
  • CVE-2026-14390:Use after free in ANGLE(High)
  • CVE-2026-14392:Out of bounds write in Tint(High)
  • CVE-2026-14396:Out of bounds read in ANGLE(High)
  • CVE-2026-14400:Out of bounds write in ANGLE(High)
  • CVE-2026-14401:Insufficient validation of untrusted input in ANGLE(High)
  • CVE-2026-14402:Uninitialized Use in ANGLE(High)
  • CVE-2026-14411:Insufficient validation of untrusted input in ANGLE(High)
  • CVE-2026-14412:Insufficient validation of untrusted input in ANGLE(High)
  • CVE-2026-14413:Uninitialized Use in ANGLE(High)
  • CVE-2026-14418:Uninitialized Use in ANGLE(High)
  • CVE-2026-14422:Out of bounds read and write in Tint(High)
  • CVE-2026-14423:Type Confusion in Tint(High)
  • CVE-2026-14424:Use after free in Dawn(High)
  • CVE-2026-14425:Use after free in ANGLE(High)
  • CVE-2026-14426:Use after free in V8(High)
  • CVE-2026-14428:Insufficient validation of untrusted input in Dawn(High)
  • CVE-2026-14429:Insufficient validation of untrusted input in Skia(High)
  • CVE-2026-14430:Integer overflow in V8(High)
  • CVE-2026-14431:Type Confusion in V8(High)
  • CVE-2026-13856:Insufficient validation of untrusted input in Speech(Medium)
  • CVE-2026-13862:Insufficient policy enforcement in Web Authentication (Passkeys & Security Keys)(Medium)
  • CVE-2026-13863:Insufficient validation of untrusted input in CustomTabs(Medium)
  • CVE-2026-13866:Insufficient validation of untrusted input in Input(Medium)
  • CVE-2026-13868:Inappropriate implementation in Network(Medium)
  • CVE-2026-13870:Use after free in WebView(Medium)
  • CVE-2026-13872:Insufficient validation of untrusted input in WebAppInstalls(Medium)
  • CVE-2026-13878:Use after free in Bluetooth(Medium)
  • CVE-2026-13880:Use after free in USB(Medium)
  • CVE-2026-13885:Use after free in Skia(Medium)
  • CVE-2026-13887:Insufficient policy enforcement in NFC(Medium)
  • CVE-2026-13889:Insufficient validation of untrusted input in WebAuthentication(Medium)
  • CVE-2026-13892:Inappropriate implementation in Chrome for iOS(Medium)
  • CVE-2026-13902:Inappropriate implementation in Chrome for iOS(Medium)
  • CVE-2026-13904:Incorrect security UI in Safe Browsing(Medium)
  • CVE-2026-13905:Incorrect security UI in Chrome for iOS(Medium)
  • CVE-2026-13907:Inappropriate implementation in iOSWeb(Medium)
  • CVE-2026-13908:Insufficient validation of untrusted input in Omnibox(Medium)
  • CVE-2026-13910:Insufficient policy enforcement in WebXR(Medium)
  • CVE-2026-13912:Incorrect security UI in Safe Browsing(Medium)
  • CVE-2026-13913:Insufficient policy enforcement in Autofill(Medium)
  • CVE-2026-13914:Inappropriate implementation in Passwords(Medium)
  • CVE-2026-13915:Use after free in Chrome for iOS(Medium)
  • CVE-2026-13916:Inappropriate implementation in Chrome for iOS(Medium)
  • CVE-2026-13917:Insufficient validation of untrusted input in Chrome for iOS(Medium)
  • CVE-2026-13918:Use after free in Chrome for iOS(Medium)
  • CVE-2026-13923:Uninitialized Use in GPU(Medium)
  • CVE-2026-13924:Insufficient validation of untrusted input in WebView(Medium)
  • CVE-2026-13926:Insufficient validation of untrusted input in Network(Medium)
  • CVE-2026-13927:Insufficient validation of untrusted input in UI(Medium)
  • CVE-2026-13929:Insufficient validation of untrusted input in DevTools(Medium)
  • CVE-2026-13932:Inappropriate implementation in Sharing(Medium)
  • CVE-2026-13936:Inappropriate implementation in Passwords(Medium)
  • CVE-2026-13939:Insufficient validation of untrusted input in WebShare(Medium)
  • CVE-2026-13943:Uninitialized Use in CSS(Medium)
  • CVE-2026-13944:Inappropriate implementation in DataTransfer(Medium)
  • CVE-2026-13946:Inappropriate implementation in ScriptInjections(Medium)
  • CVE-2026-13949:Insufficient policy enforcement in Payments(Medium)
  • CVE-2026-13955:Insufficient validation of untrusted input in CustomTabs(Medium)
  • CVE-2026-13964:Insufficient policy enforcement in WebView(Medium)
  • CVE-2026-13969:Uninitialized Use in UI(Medium)
  • CVE-2026-13974:Integer overflow in Safe Browsing(Medium)
  • CVE-2026-13975:Out of bounds read in ANGLE(Medium)
  • CVE-2026-13980:Incorrect security UI in Chrome for iOS(Medium)
  • CVE-2026-13981:Inappropriate implementation in Chrome for iOS(Medium)
  • CVE-2026-13983:Incorrect security UI in Chrome for iOS(Medium)
  • CVE-2026-13987:Incorrect security UI in Mobile(Medium)
  • CVE-2026-13991:Insufficient validation of untrusted input in Chrome for iOS(Medium)
  • CVE-2026-13992:Inappropriate implementation in UI(Medium)
  • CVE-2026-13994:Inappropriate implementation in Credential Management(Medium)
  • CVE-2026-13995:Insufficient validation of untrusted input in Autofill(Medium)
  • CVE-2026-13997:Incorrect security UI in Extensions(Medium)
  • CVE-2026-13998:Incorrect security UI in File Input(Medium)
  • CVE-2026-14005:Use after free in Omnibox(Medium)
  • CVE-2026-14388:Out of bounds read in ANGLE(Medium)
  • CVE-2026-14391:Integer overflow in ANGLE(Medium)
  • CVE-2026-14393:Use after free in V8(Medium)
  • CVE-2026-14397:Out of bounds write in ANGLE(Medium)
  • CVE-2026-14399:Uninitialized Use in Dawn(Medium)
  • CVE-2026-14404:Inappropriate implementation in PDFium(Medium)
  • CVE-2026-14406:Out of bounds read in V8(Medium)
  • CVE-2026-14407:Inappropriate implementation in V8(Medium)
  • CVE-2026-14408:Uninitialized Use in Dawn(Medium)
  • CVE-2026-14414:Insufficient validation of untrusted input in Skia(Medium)
  • CVE-2026-14421:Uninitialized Use in Dawn(Medium)
  • CVE-2026-14432:Use after free in V8(Medium)
  • CVE-2026-14028:Incorrect security UI in Chrome for iOS(Low)
  • CVE-2026-14066:Insufficient validation of untrusted input in Chrome for iOS(Low)
  • CVE-2026-14067:Use after free in Chrome for iOS(Low)
  • CVE-2026-14075:Policy bypass in Chrome for iOS(Low)
  • CVE-2026-14096:Object lifecycle issue in Input(Low)
  • CVE-2026-14099:Use after free in Chrome for iOS(Low)
  • CVE-2026-14101:Insufficient policy enforcement in Sandbox(Low)
  • CVE-2026-14114:Inappropriate implementation in WebAppInstalls(Low)
  • CVE-2026-14123:Incorrect security UI in Chrome for iOS(Low)
  • CVE-2026-14126:Incorrect security UI in UI(Low)
  • CVE-2026-14128:Insufficient data validation in Chrome for iOS(Low)
  • CVE-2026-14136:Incorrect security UI in Chrome for iOS(Low)
  • CVE-2026-14137:Insufficient validation of untrusted input in Chrome for iOS(Low)
  • CVE-2026-14394:Use after free in V8(Low)
  • CVE-2026-14395:Out of bounds write in V8(Low)
  • CVE-2026-14403:Use after free in V8(Low)
  • CVE-2026-14405:Uninitialized Use in V8(Low)
  • CVE-2026-14409:Inappropriate implementation in V8(Low)
  • CVE-2026-14410:Inappropriate implementation in Skia(Low)
  • CVE-2026-14415:Inappropriate implementation in V8(Low)
  • CVE-2026-14416:Out of bounds read in Dawn(Low)

 残りの2件は、「Chromium」のリリースノートには記載がなく、Microsoftが独自に採番した「Edge」固有の脆弱性と思われる。いずれも深刻度は「重要」(Important)。

  • CVE-2026-58281:リモートでコードが実行される脆弱性(Remote Code Execution)
  • CVE-2026-58596:特権が昇格される脆弱性(Elevation of Privilege)

 なお、悪用が確認された(ゼロデイ)脆弱性は含まれていない。

 デスクトップ版「Microsoft Edge」はWindows/macOS/Linuxに対応しており、現在公式サイトから無償でダウンロードできる。すでに「Microsoft Edge」を利用中の場合、待っていれば自動で更新されるが、手動での更新も可能。画面右上のメニュー([…]アイコン)から[ヘルプとフィードバック]-[Microsoft Edge について]画面(edge://settings/help)へアクセスするとよい。

ツールバーに更新が案内されることもある