Description
Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
Published: 2026-04-23
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Microsoft Bing has a vulnerability that allows an attacker to deserialize untrusted data and execute arbitrary code. The flaw is a classic deserialization weakness (CWE‑502) that can give an unauthorized user the ability to run malicious code via the network, potentially giving them full control over the affected system.

Affected Systems

Any deployment of Microsoft Bing. No specific version numbers are listed in the advisory, so all current and future releases are likely affected until an update is applied.

Risk and Exploitability

The CVSS score of 10 highlights the maximum severity of the issue. The EPSS score is below 1 %, indicating a very low probability of exploitation in the wild at the time of this analysis, and the vulnerability is not yet in the CISA KEV catalog. The attack can be performed remotely over a network by sending specially crafted data to the Bing service, assuming the attacker can reach the target. Because the flaw is a deserialization bug, any data payload that can be crafted by the attacker and delivered to the service may trigger the vulnerability.

Generated by OpenCVE AI on April 28, 2026 at 07:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft Bing security update released by Microsoft
  • Ensure that only trusted sources send data to Bing by enforcing strict input validation and access controls
  • Isolate Bing services on a separate network segment and enforce least‑privilege access for all connected components

Generated by OpenCVE AI on April 28, 2026 at 07:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:bing:-:*:*:*:*:*:*:*

Fri, 24 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
Title Microsoft Bing Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft bing
Weaknesses CWE-502
CPEs cpe:2.3:a:microsoft:bing:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft bing
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Bing
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-12T17:37:48.367Z

Reserved: 2026-03-24T00:52:01.351Z

Link: CVE-2026-33819

cve-icon Vulnrichment

Updated: 2026-04-24T14:55:14.293Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T22:16:37.817

Modified: 2026-05-05T14:15:20.343

Link: CVE-2026-33819

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:30:26Z

Weaknesses