CVE-2026-33819

CriticalRCEUpdated

Published: 23 April 2026

Published

23 April 2026

Modified

05 May 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0039 60.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33819 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Bing. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the deserialization flaw in Microsoft Bing by requiring timely application of vendor patches from the MSRC update guide.

SI-10 Information Input Validation partial match

prevent

Validates untrusted network inputs to prevent malicious data from reaching the vulnerable deserialization process in Bing.

SI-16 Memory Protection partial match

prevent

Employs memory protections like ASLR and DEP to mitigate remote code execution even if deserialization of untrusted data succeeds.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-33819 is a remote code execution vulnerability in the public-facing Microsoft Bing application via deserialization of untrusted data, directly enabling exploitation of public-facing applications (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.

Deeper analysisAI

CVE-2026-33819 is a critical deserialization of untrusted data vulnerability (CWE-502) affecting Microsoft Bing. It enables an unauthorized attacker to execute arbitrary code over a network, as indicated by its perfect CVSS v3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). The flaw stems from improper handling of untrusted data during deserialization processes within the Bing component.

Any unauthenticated attacker with network access can exploit this vulnerability remotely without user interaction or privileges. Successful exploitation grants full remote code execution capabilities, allowing high-impact compromise of confidentiality, integrity, and availability, with a changed scope that could propagate effects beyond the Bing service.

Microsoft's Security Response Center has published an update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33819, which provides details on available patches and mitigation strategies for affected systems.

Details

CWE(s): CWE-502

Affected Products

microsoft

bing

all versions

CVEs Like This One

CVE-2025-21355Same product: Microsoft Bing

CVE-2026-26120Same product: Microsoft Bing

CVE-2026-32186Same product: Microsoft Bing

CVE-2025-53772Same vendor: Microsoft

CVE-2025-55232Same vendor: Microsoft

CVE-2025-59237Same vendor: Microsoft

CVE-2026-26114Same vendor: Microsoft

CVE-2025-59287Same vendor: Microsoft

CVE-2026-20963Same vendor: Microsoft

CVE-2026-21531Same vendor: Microsoft

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33819
Vendor Advisory · secure@microsoft.com