CVE-2026-0391 is a vulnerability classified under CWE-451, indicating a user interface misrepresentation of critical information within the Microsoft Edge browser for Android (Chromium-based). This flaw allows an unauthorized attacker to conduct spoofing attacks by manipulating the browser's UI to display false or misleading information. Such spoofing can trick users into believing they are interacting with legitimate web content or trusted sources when they are not, potentially leading to credential theft, phishing, or other social engineering attacks. The vulnerability is exploitable remotely over a network without requiring user interaction or privileges, although the attack complexity is high, meaning the attacker must overcome significant challenges to successfully exploit the flaw. The CVSS v3.1 base score is 6.5, reflecting a medium severity level, with a vector indicating network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, high confidentiality impact, low integrity impact, and no availability impact. No patches or known exploits are currently reported, but the vulnerability was reserved in November 2025 and published in February 2026. The affected version is Microsoft Edge 1.0.0.0 on Android, which suggests early or initial releases of the browser on this platform are vulnerable. The vulnerability’s primary risk is the potential for attackers to mislead users via UI spoofing, undermining trust and potentially leading to further exploitation such as credential compromise or malware installation.

The primary impact of CVE-2026-0391 is on confidentiality, as attackers can deceive users into divulging sensitive information by presenting falsified UI elements that appear legitimate. This can facilitate phishing attacks, credential theft, or unauthorized data disclosure. The integrity impact is low since the vulnerability does not directly allow modification of data or code, and availability is unaffected. However, successful exploitation can lead to significant downstream consequences, including account compromise or unauthorized access to sensitive systems. Organizations with mobile workforces or those relying on Microsoft Edge for Android for secure browsing are at risk of targeted attacks leveraging this vulnerability. The medium severity score reflects the balance between the high confidentiality risk and the high complexity required to exploit the vulnerability. Since no user interaction is required, automated or remote attacks could be possible if the attacker can control network conditions or deliver malicious content. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future attacks once exploit techniques mature.

Organizations should monitor Microsoft’s security advisories for patches addressing CVE-2026-0391 and apply updates promptly once available. Until patches are released, mitigating controls include enforcing network-level protections such as DNS filtering, web content filtering, and intrusion detection systems to block or detect spoofing attempts. Educate users about the risks of UI spoofing and encourage vigilance when interacting with web content, especially on mobile devices. Employ multi-factor authentication to reduce the impact of credential theft resulting from spoofing attacks. Consider restricting or monitoring the use of Microsoft Edge on Android in high-risk environments until the vulnerability is remediated. Additionally, security teams should analyze network traffic for anomalies indicative of spoofing or man-in-the-middle attacks and implement endpoint protection solutions capable of detecting suspicious browser behavior. Regular security awareness training focusing on phishing and spoofing can further reduce user susceptibility.