Skip to main content

Microsoft Bing CVE-2026-45650

| EUVDEUVD-2026-35694 MEDIUM
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
2026-06-09 secure@microsoft.com GHSA-xf2j-6378-chgc
4.3
CVSS 3.1 · NVD
Temporal: 3.8
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CIRCL (temporal)
3.8 LOW
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 19:37 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
MEDIUM 4.3

DescriptionNVD

User interface (ui) misrepresentation of critical information in Microsoft Bing allows an unauthorized attacker to perform spoofing over a network.

AnalysisAI

UI misrepresentation of critical information in Microsoft Bing Search for Android (versions below 33.3) enables unauthenticated network-based attackers to spoof content displayed to end users. The vulnerability (CWE-451) causes the application to render or present critical information-such as URLs, security indicators, or source attribution-in a misleading way, enabling deception attacks. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the zero-privilege-required, low-complexity network vector makes it accessible to opportunistic attackers targeting users of the unpatched Android application.

Technical ContextAI

CWE-451 (User Interface Misrepresentation of Critical Information) describes a class of vulnerabilities where an application's UI layer fails to accurately represent security-relevant data to the user, enabling trust manipulation. In this case, the affected component is Microsoft Bing Search for Android (versions 1.0.0 through below 33.3). The attack vector is network-based (AV:N), meaning the misrepresentation can be triggered via crafted network content or responses intercepted/delivered over the network, rather than requiring local device access. The Android application context suggests the flaw may relate to how search results, links, preview content, or security/authentication prompts are rendered within the app's WebView or native UI, allowing an attacker-controlled representation to substitute for a legitimate one. The 'Authentication Bypass' tag in the intelligence data suggests the spoofed UI element may be relevant to authentication flows, such as login prompts, OAuth dialogs, or credential entry screens.

RemediationAI

The vendor-released patch is Microsoft Bing Search for Android version 33.3 or later, as confirmed by EUVD-2026-35694. Users and administrators should update the Bing Search Android application to version 33.3 or above via the Google Play Store. Enterprise administrators managing Android device fleets via MDM solutions (Intune, Jamf, etc.) should push the updated application version and verify compliance. The full vendor advisory is available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45650. If immediate patching is not feasible, a compensating control would be to restrict or disable the Bing Search Android application on managed devices until patching can be completed - note this may disrupt end-user search workflows. No specific network-layer workaround is applicable given the network-delivered spoofing nature of the vulnerability.

Share

CVE-2026-45650 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy