Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Network-delivered UI-redress spoofing needing victim interaction (UI:R, PR:N, AC:L); integrity of displayed content is compromised (I:H) but no confidentiality loss and no genuine availability impact for spoofing, so A:N.
Primary rating from Vendor (microsoft).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Improper restriction of rendered ui layers or frames in Microsoft Bing App for IOS allows an unauthorized attacker to perform spoofing over a network.
AnalysisAI
Spoofing in the Microsoft Bing Search app for iOS lets a remote attacker present deceptive or overlaid UI content that misleads the victim, because the app improperly restricts how rendered UI layers or frames are displayed (CWE-1021, a UI-redressing/clickjacking class of flaw). An unauthenticated attacker who lures a user into interacting with attacker-controlled content can manipulate what the user sees and trusts, potentially inducing them to act on falsified information. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to actively interact with attacker-controlled content rendered inside the Microsoft Bing Search app for iOS (CVSS UI:R) - for example opening a malicious link or engaging with a crafted framed/overlaid UI layer served over the network. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U) describes a low-complexity, unauthenticated, network-delivered attack that critically depends on user interaction (UI:R), which materially lowers real-world exploitability versus a no-interaction bug of the same base score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious page or link that, when opened or framed within the Bing iOS app's rendering context, overlays a deceptive UI layer on top of legitimate app content. Because the attack vector is network-based with low complexity but requires user interaction (UI:R), the victim must be lured into tapping or engaging with the crafted content, at which point the spoofed interface misleads them into trusting falsified information or actions. … |
| Remediation | Patch available per vendor advisory: update the Microsoft Bing Search app for iOS to the fixed release via the Apple App Store as identified in the Microsoft MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58595 (confirm the exact fixed build number there, as it was not included in the provided data). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all iOS devices with Bing Search app deployment and notify users not to interact with suspicious in-app content. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43766
GHSA-g43g-5f3q-rwxv