CVE-2026-33819
Published: 23 April 2026
Description
Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the deserialization flaw in Microsoft Bing by requiring timely application of vendor patches from the MSRC update guide.
Validates untrusted network inputs to prevent malicious data from reaching the vulnerable deserialization process in Bing.
Employs memory protections like ASLR and DEP to mitigate remote code execution even if deserialization of untrusted data succeeds.
Security SummaryAI
CVE-2026-33819 is a critical deserialization of untrusted data vulnerability (CWE-502) affecting Microsoft Bing. It enables an unauthorized attacker to execute arbitrary code over a network, as indicated by its perfect CVSS v3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). The flaw stems from improper handling of untrusted data during deserialization processes within the Bing component.
Any unauthenticated attacker with network access can exploit this vulnerability remotely without user interaction or privileges. Successful exploitation grants full remote code execution capabilities, allowing high-impact compromise of confidentiality, integrity, and availability, with a changed scope that could propagate effects beyond the Bing service.
Microsoft's Security Response Center has published an update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33819, which provides details on available patches and mitigation strategies for affected systems.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-33819 is a remote code execution vulnerability in the public-facing Microsoft Bing application via deserialization of untrusted data, directly enabling exploitation of public-facing applications (T1190).