Microsoft has patched a maximum-severity remote code execution vulnerability in Bing that requires no authentication, no user interaction, and no privileges to exploit — a rare trifecta that earns CVE-2026-33819 its CVSS 10.0 score.
What Happened
CVE-2026-33819 is a deserialization vulnerability in a Bing backend service exposed over the network. The flaw received a CVSS base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C) — the highest possible rating — reflecting that an unauthenticated attacker on any network can reach the vulnerable endpoint, exploit it without complexity, and achieve full compromise with scope change. Microsoft addressed the vulnerability as part of the April 2026 Patch Tuesday release.
Deserialization vulnerabilities of this class occur when an application deserialises attacker-controlled data without first validating its structure or type. When chained to a network-exposed endpoint with no authentication gate, the result is a pre-auth RCE primitive that requires no user interaction.
Why It Matters
Bing is Microsoft’s public-facing search infrastructure, but the same backend service components are also integrated into Microsoft 365 Copilot, Azure Cognitive Services, and enterprise intranet search deployments. Organisations that run on-premises or hybrid deployments of Microsoft search infrastructure should treat this as an emergency-tier patch.
Even for organisations relying entirely on Microsoft’s cloud-hosted Bing, the vulnerability underscores the enduring risk of deserialization as an attack class — historically responsible for critical infrastructure compromises including the 2021 Apache Log4j chain and numerous Exchange Server exploits.
Technical Detail
| Field | Value |
|---|---|
| CVE | CVE-2026-33819 |
| CVSS | 10.0 Critical |
| Attack Vector | Network (unauthenticated) |
| Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Changed |
| Exploit Code | Not publicly available at time of publication |
The affected Bing component processes serialised data from untrusted network sources without type-safe validation, allowing an attacker to supply a crafted payload that executes arbitrary code in the context of the service process.
Recommended Actions
- Apply the April 2026 Patch Tuesday update immediately — no workaround is available; patching is the only remediation.
- Prioritise internet-facing and intranet Bing deployments — if your organisation runs on-premises Microsoft search infrastructure, treat this as P1.
- Review network segmentation — confirm that Bing backend service ports are not exposed beyond intended boundaries; apply firewall rules to restrict access while patching is in progress.
- Monitor for anomalous deserialization-related process spawning — look for unusual child processes spawned from Bing service executables in endpoint detection telemetry.
- Check Azure Cognitive Services and M365 Copilot integrations — Microsoft has patched cloud-side components, but verify your environment reflects the updated service version.
Broader Context
CVSS 10.0 vulnerabilities are uncommon. When they affect infrastructure as widely deployed as Bing — and carry a network attack vector with no prerequisites — they warrant the same response urgency as a KEV-listed exploit. Microsoft’s April 2026 Patch Tuesday addressed 167 CVEs in total; this should be first in any patching queue.
Share this article