Cyber Resilience

CVE-2026-33819

CriticalRCE

Published: 23 April 2026

Published
23 April 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0084 53.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-33819 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Bing. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-33819 is a critical deserialization of untrusted data vulnerability (CWE-502) affecting Microsoft Bing. It enables an unauthorized attacker to execute arbitrary code over a network, as indicated by its perfect CVSS v3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). The flaw stems from improper handling of untrusted data during deserialization processes within the Bing component.

Any unauthenticated attacker with network access can exploit this vulnerability remotely without user interaction or privileges. Successful exploitation grants full remote code execution capabilities, allowing high-impact compromise of confidentiality, integrity, and availability, with a changed scope that could propagate effects beyond the Bing service.

Microsoft's Security Response Center has published an update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33819, which provides details on available patches and mitigation strategies for affected systems.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2026-33819 is a remote code execution vulnerability in the public-facing Microsoft Bing application via deserialization of untrusted data, directly enabling exploitation of public-facing applications (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-21355Same product: Microsoft Bing
CVE-2026-26120Same product: Microsoft Bing
CVE-2026-32186Same product: Microsoft Bing
CVE-2025-59237Same vendor: Microsoft
CVE-2025-55232Same vendor: Microsoft
CVE-2025-53772Same vendor: Microsoft
CVE-2026-21531Same vendor: Microsoft
CVE-2025-49712Same vendor: Microsoft
CVE-2026-26114Same vendor: Microsoft
CVE-2026-33112Same vendor: Microsoft

Affected Assets

microsoft
bing
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the deserialization flaw in Microsoft Bing by requiring timely application of vendor patches from the MSRC update guide.

prevent

Validates untrusted network inputs to prevent malicious data from reaching the vulnerable deserialization process in Bing.

prevent

Employs memory protections like ASLR and DEP to mitigate remote code execution even if deserialization of untrusted data succeeds.

References