{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0385", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-11-13T16:25:14.759Z", "datePublished": "2026-03-13T21:55:20.781Z", "dateUpdated": "2026-03-27T22:33:21.083Z"}, "containers": {"cna": {"title": "Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability", "datePublic": "2026-03-13T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:edge:*:*:*:*:*:android:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "146.0.3856.59"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Edge for Android", "versions": [{"version": "1.0.0", "lessThan": "146.0.3856.59", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "Spoofing", "lang": "en-US", "type": "Impact"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-03-27T22:33:21.083Z"}, "references": [{"name": "Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-0385"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C"}}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-290", "lang": "en", "description": "CWE-290 Authentication Bypass by Spoofing"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-14T03:47:02.583228Z", "id": "CVE-2026-0385", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-14T03:48:06.085Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0385", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-14T03:47:02.583228Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290 Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-14T03:47:47.445Z"}}], "cna": {"title": "Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Edge for Android", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "146.0.3856.59", "versionType": "custom"}]}], "datePublic": "2026-03-13T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-0385", "name": "Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability"}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "Impact", "description": "Spoofing"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:edge:*:*:*:*:*:android:*:*", "vulnerable": true, "versionEndExcluding": "146.0.3856.59", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-03-27T22:33:21.083Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0385", "state": "PUBLISHED", "dateUpdated": "2026-03-27T22:33:21.083Z", "dateReserved": "2025-11-13T16:25:14.759Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-03-13T21:55:20.781Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:*:android:*:*", "matchCriteriaId": "87AE5657-6D4C-4162-8744-C83D6CAA6E30", "versionEndExcluding": "146.0.3856.59", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability"}, {"lang": "es", "value": "Vulnerabilidad de suplantaci\u00f3n de Microsoft Edge (basado en Chromium) para Android"}], "id": "CVE-2026-0385", "lastModified": "2026-04-01T20:09:19.913", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.4, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-03-16T14:18:06.797", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-0385"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.0.0,146.0.3856.59)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Microsoft Edge for Android", "source": "cna", "vendor": "Microsoft"}, "product": "edge_for_android", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-04-02T03:05:28.109745+00:00", "value": {"mitigation_remediation": ["Check the version of Microsoft Edge currently installed on your Android device", "Follow Microsoft\u2019s security advisory for updates and apply any available patches as soon as they are released", "Consider installing reputable security applications that can detect and block spoofing attempts", "Keep your device\u2019s operating system and all apps updated to mitigate related weaknesses"], "summary": {"action": "Update", "impact": "Spoofing potentially enabling impersonation or phishing"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts Microsoft Edge for Android, including both the standard and Chromium-based editions. No specific affected versions are listed in the available data.", "description_and_impact": "Microsoft Edge (Chromium-based) for Android is affected by a spoofing vulnerability that may allow an attacker to present a false identity or representation, enabling phishing or similar attacks. The description does not detail the exact mechanism or exploit capability, so the precise impact on confidentiality, integrity or availability remains unclear.", "risk_and_exploitability": "The CVSS score of 5 indicates moderate severity. EPSS is reported to be less than 1%, suggesting a low likelihood of exploitation, and the vulnerability is not currently listed in the CISA KEV catalog. Based on the information provided, it is inferred that the attack vector would require the attacker to influence the user\u2019s perception of the browser or its displayed content, potentially via a malicious app or compromised website. No specific exploitation prerequisites are described in the available data."}}}}, "created": "2026-03-16T09:22:26.479830+00:00", "updated": "2026-04-02T08:00:18.476846+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$edge_for_android"]}