{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0385", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-11-13T16:25:14.759Z", "datePublished": "2026-03-13T21:55:20.781Z", "dateUpdated": "2026-04-23T15:29:33.113Z"}, "containers": {"cna": {"title": "Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability", "datePublic": "2026-03-13T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:edge:*:*:*:*:*:android:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "146.0.3856.59"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Edge for Android", "versions": [{"version": "1.0.0", "lessThan": "146.0.3856.59", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information", "lang": "en-US", "type": "CWE", "cweId": "CWE-451"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:36:45.322Z"}, "references": [{"name": "Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-0385"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C"}}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-290", "lang": "en", "description": "CWE-290 Authentication Bypass by Spoofing"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-14T03:47:02.583228Z", "id": "CVE-2026-0385", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T15:29:33.113Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0385", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-14T03:47:02.583228Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290 Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-14T03:47:47.445Z"}}], "cna": {"title": "Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Edge for Android", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "146.0.3856.59", "versionType": "custom"}]}], "datePublic": "2026-03-13T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-0385", "name": "Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability"}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-451", "description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:edge:*:*:*:*:*:android:*:*", "vulnerable": true, "versionEndExcluding": "146.0.3856.59", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:36:45.322Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0385", "state": "PUBLISHED", "dateUpdated": "2026-04-23T15:29:33.113Z", "dateReserved": "2025-11-13T16:25:14.759Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-03-13T21:55:20.781Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:*:android:*:*", "matchCriteriaId": "87AE5657-6D4C-4162-8744-C83D6CAA6E30", "versionEndExcluding": "146.0.3856.59", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability"}, {"lang": "es", "value": "Vulnerabilidad de suplantaci\u00f3n de Microsoft Edge (basado en Chromium) para Android"}], "id": "CVE-2026-0385", "lastModified": "2026-04-07T21:17:00.757", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.4, "source": "secure@microsoft.com", "type": "Secondary"}]}, "published": "2026-03-16T14:18:06.797", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-0385"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-451"}], "source": "secure@microsoft.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-290"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.0.0,146.0.3856.59)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Microsoft Edge for Android", "source": "cna", "vendor": "Microsoft"}, "product": "edge_for_android", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-04-07T23:12:01.700127+00:00", "value": {"mitigation_remediation": ["Update Microsoft Edge on Android to the latest version as soon as it becomes available."], "summary": {"action": "Apply Update", "impact": "Spoofing / Authentication Bypass"}, "threat_synthesis": {"affected_systems": "The affected product is Microsoft Edge for Android, distributed by Microsoft. No specific version is identified in the advisory; therefore, all current releases of the Android application should be considered potentially vulnerable until an official patch is released.", "description_and_impact": "Microsoft Edge (Chromium-based) for Android is affected by a spoofing vulnerability that allows a malicious site to masquerade as a trusted resource. The assignment of CWE\u2011290 (Improper Authentication) and CWE\u2011451 (Blind Race Condition) suggests the flaw involves an authentication weakness potentially combined with a concurrency issue, which could be used to spoof the identity of a legitimate site or resource. Based on this, an attacker might be able to trick a user into interacting with a site that appears to be authentic, undermining the integrity of the browsing session. The vulnerability does not expose arbitrary code execution, denial of service, or other more severe impacts beyond spoofing.", "risk_and_exploitability": "The CVSS score of 5 indicates a moderate risk level, while the EPSS score of less than 1\u202f% reflects a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. It is inferred that exploitation would likely require user interaction\u2014such as visiting or clicking a crafted link\u2014that triggers the spoofing behavior during page rendering. Given the limited public details, concrete assumptions about the attack path remain speculative, but the moderate score and low EPSS suggest a low probability of widespread exploitation."}}}}, "created": "2026-03-16T09:22:26.479830+00:00", "updated": "2026-04-08T20:02:34.955145+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$edge_for_android"]}