Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
User interface (ui) misrepresentation of critical information in Microsoft Bing allows an unauthorized attacker to perform spoofing over a network.
AnalysisAI
UI misrepresentation of critical information in Microsoft Bing Search for Android (versions below 33.3) enables unauthenticated network-based attackers to spoof content displayed to end users. The vulnerability (CWE-451) causes the application to render or present critical information-such as URLs, security indicators, or source attribution-in a misleading way, enabling deception attacks. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the zero-privilege-required, low-complexity network vector makes it accessible to opportunistic attackers targeting users of the unpatched Android application.
Technical ContextAI
CWE-451 (User Interface Misrepresentation of Critical Information) describes a class of vulnerabilities where an application's UI layer fails to accurately represent security-relevant data to the user, enabling trust manipulation. In this case, the affected component is Microsoft Bing Search for Android (versions 1.0.0 through below 33.3). The attack vector is network-based (AV:N), meaning the misrepresentation can be triggered via crafted network content or responses intercepted/delivered over the network, rather than requiring local device access. The Android application context suggests the flaw may relate to how search results, links, preview content, or security/authentication prompts are rendered within the app's WebView or native UI, allowing an attacker-controlled representation to substitute for a legitimate one. The 'Authentication Bypass' tag in the intelligence data suggests the spoofed UI element may be relevant to authentication flows, such as login prompts, OAuth dialogs, or credential entry screens.
RemediationAI
The vendor-released patch is Microsoft Bing Search for Android version 33.3 or later, as confirmed by EUVD-2026-35694. Users and administrators should update the Bing Search Android application to version 33.3 or above via the Google Play Store. Enterprise administrators managing Android device fleets via MDM solutions (Intune, Jamf, etc.) should push the updated application version and verify compliance. The full vendor advisory is available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45650. If immediate patching is not feasible, a compensating control would be to restrict or disable the Bing Search Android application on managed devices until patching can be completed - note this may disrupt end-user search workflows. No specific network-layer workaround is applicable given the network-delivered spoofing nature of the vulnerability.
The Microsoft Bing application before 4.2.1 for Android allows remote attackers to install arbitrary APK files via vecto
Missing Authentication for Critical Function in Microsoft Bing allows an unauthorized attacker to execute code over a ne
A spoofing vulnerability exists when Microsoft Bing Search for Android improperly handles specific HTML content, aka 'Mi
Microsoft Bing Search Spoofing Vulnerability. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitab
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35694
GHSA-xf2j-6378-chgc