CVE-2024-29986 is a medium-severity information disclosure vulnerability affecting Microsoft Edge (Chromium-based) specifically on the Android platform. The vulnerability is classified under CWE-359, which pertains to the exposure of private personal information to unauthorized actors. This issue arises due to improper handling of sensitive data within the browser, potentially allowing an attacker to access private user information without proper authorization. The CVSS 3.1 base score is 5.4, indicating a moderate risk level. The vector string (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C) reveals that the vulnerability can be exploited remotely over the network without requiring privileges but does require user interaction (UI:R). The impact affects confidentiality and integrity to a limited extent but does not affect availability. The scope remains unchanged, meaning the vulnerability affects only the vulnerable component (Microsoft Edge on Android). Exploitation could lead to partial leakage and potential manipulation of private data, but no known exploits are currently reported in the wild. The vulnerability was published on April 18, 2024, and no patches or fixes have been linked yet. Given the nature of the vulnerability, it is likely related to how the browser manages or exposes sensitive data such as browsing history, cookies, or autofill information, which could be accessed by malicious web content or attackers leveraging social engineering to induce user interaction.

For European organizations, this vulnerability poses a risk primarily to employees and users who utilize Microsoft Edge on Android devices for accessing corporate or personal data. The exposure of private personal information could lead to unauthorized disclosure of sensitive corporate data, user credentials, or personally identifiable information (PII), potentially violating GDPR and other privacy regulations. Although the vulnerability requires user interaction, phishing or malicious websites could exploit it to harvest data stealthily. This could undermine trust in corporate mobile device usage and increase the risk of targeted attacks or identity theft. Organizations with mobile-first strategies or those relying heavily on Edge for Android in their workforce are particularly at risk. The limited impact on integrity suggests attackers might also manipulate some data, further complicating incident response. However, the lack of availability impact means service disruption is unlikely. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time.

1. Implement strict mobile device management (MDM) policies to control and monitor the use of Microsoft Edge on Android devices within the organization. 2. Educate users about the risks of interacting with untrusted websites or links, emphasizing caution to reduce the likelihood of triggering the vulnerability via social engineering. 3. Restrict or sandbox browser access to sensitive corporate resources on mobile devices until a patch is available. 4. Monitor network traffic and endpoint logs for unusual data exfiltration patterns that could indicate exploitation attempts. 5. Encourage users to keep their Microsoft Edge app updated and subscribe to vendor security advisories for timely patch deployment once available. 6. Consider deploying alternative browsers with a lower risk profile on Android devices handling sensitive data until this vulnerability is resolved. 7. Use web content filtering and URL reputation services to block access to known malicious sites that could exploit this vulnerability. 8. Review and tighten permissions granted to the browser app on Android to limit access to sensitive data and device features.