Skip to main content

Microsoft Bing CVE-2026-58595

| EUVDEUVD-2026-43766 HIGH
Improper Restriction of Rendered UI Layers or Frames (CWE-1021)
2026-07-14 microsoft GHSA-g43g-5f3q-rwxv
8.1
CVSS 3.1 · NVD
Temporal: 7.1
Share

Severity by source

Vendor (microsoft) PRIMARY
HIGH
qualitative
NVD
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
CIRCL (temporal)
7.1 HIGH
cvss
vuln.today AI
6.5 MEDIUM

Network-delivered UI-redress spoofing needing victim interaction (UI:R, PR:N, AC:L); integrity of displayed content is compromised (I:H) but no confidentiality loss and no genuine availability impact for spoofing, so A:N.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 17:52 vuln.today
CVE Published
Jul 14, 2026 - 17:05 nvd
HIGH 8.1

DescriptionNVD

Improper restriction of rendered ui layers or frames in Microsoft Bing App for IOS allows an unauthorized attacker to perform spoofing over a network.

AnalysisAI

Spoofing in the Microsoft Bing Search app for iOS lets a remote attacker present deceptive or overlaid UI content that misleads the victim, because the app improperly restricts how rendered UI layers or frames are displayed (CWE-1021, a UI-redressing/clickjacking class of flaw). An unauthenticated attacker who lures a user into interacting with attacker-controlled content can manipulate what the user sees and trusts, potentially inducing them to act on falsified information. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host malicious framed content
Delivery
Lure user to open link in Bing iOS app
Exploit
Overlay deceptive UI layer
Execution
User interacts with spoofed interface
Impact
Victim acts on falsified content

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to actively interact with attacker-controlled content rendered inside the Microsoft Bing Search app for iOS (CVSS UI:R) - for example opening a malicious link or engaging with a crafted framed/overlaid UI layer served over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U) describes a low-complexity, unauthenticated, network-delivered attack that critically depends on user interaction (UI:R), which materially lowers real-world exploitability versus a no-interaction bug of the same base score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious page or link that, when opened or framed within the Bing iOS app's rendering context, overlays a deceptive UI layer on top of legitimate app content. Because the attack vector is network-based with low complexity but requires user interaction (UI:R), the victim must be lured into tapping or engaging with the crafted content, at which point the spoofed interface misleads them into trusting falsified information or actions. …
Remediation Patch available per vendor advisory: update the Microsoft Bing Search app for iOS to the fixed release via the Apple App Store as identified in the Microsoft MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58595 (confirm the exact fixed build number there, as it was not included in the provided data). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all iOS devices with Bing Search app deployment and notify users not to interact with suspicious in-app content. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58595 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy