Critical Deserialization RCE in Microsoft Bing (CVE-2026-33819)

The National Vulnerability Database has disclosed CVE-2026-33819, a critical deserialization of untrusted data vulnerability in Microsoft Bing. Rated with a CVSS score of 10.0, this flaw allows an unauthenticated, remote attacker to execute arbitrary code over the network. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H confirms the worst-case scenario: no user interaction, low attack complexity, and complete compromise of confidentiality, integrity, and availability.

This is a classic deserialization vulnerability (CWE-502), a persistent headache for developers. It means the application is blindly trusting incoming data, reconstructing objects without proper validation. Attackers craft malicious serialized objects that, when deserialized, trigger dangerous code execution on the target system. Given Bing’s widespread use, the potential attack surface is enormous.

Defenders need to treat this as an immediate, unauthenticated RCE threat. Microsoft has not yet specified affected products beyond “Bing,” but the implication is clear: any service or application leveraging Bing’s underlying components could be at risk. Organizations should monitor for Microsoft’s official patch and advisory, and prepare for rapid deployment. This is not a vulnerability to defer.