Microsoft CVEs & Vulnerabilities

1.621 CVEs affecting Microsoft products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

1.621 CVEs→ All vendors

Most Affected Products

windows 1.168windows server 2012 286windows 11 26h1 242windows server 2025 242windows 11 25h2 235windows 11 24h2 235windows server 2022 225windows 11 23h2 218
CVE-2026-34342HIGH

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Print Spooler Components allows an authorized attacker to elevate privileges locally.

12 May 2026
7.0
CVSS
CVE-2026-34341HIGH

Double free in Windows Link-Layer Discovery Protocol (LLDP) allows an authorized attacker to elevate privileges locally.

12 May 2026
7.0
CVSS
CVE-2026-34340HIGH

Use after free in Windows Projected File System allows an authorized attacker to elevate privileges locally.

12 May 2026
7.0
CVSS
CVE-2026-34339MEDIUM

Null pointer dereference in Windows LDAP - Lightweight Directory Access Protocol allows an authorized attacker to deny service locally.

12 May 2026
5.5
CVSS
CVE-2026-34338HIGH

Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally.

12 May 2026
7.8
CVSS
CVE-2026-34337HIGH

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

12 May 2026
7.0
CVSS
CVE-2026-34336HIGH

Buffer over-read in Windows DWM Core Library allows an authorized attacker to disclose information locally.

12 May 2026
7.8
CVSS
CVE-2026-34334HIGH

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an authorized attacker to elevate privileges locally.

12 May 2026
7.0
CVSS
CVE-2026-34333HIGH

Use after free in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.

12 May 2026
7.8
CVSS
CVE-2026-34332HIGH

Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to execute code over a network.

12 May 2026
8.0
CVSS
CVE-2026-34331HIGH

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.

12 May 2026
7.0
CVSS
CVE-2026-34330HIGH

Integer overflow or wraparound in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.

12 May 2026
7.8
CVSS
CVE-2026-34329HIGH

Heap-based buffer overflow in Windows Message Queuing allows an unauthorized attacker to execute code over an adjacent network.

12 May 2026
8.8
CVSS
CVE-2026-33841HIGH

Heap-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally.

12 May 2026
7.8
CVSS
CVE-2026-33840HIGH

Use after free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally.

12 May 2026
7.8
CVSS
CVE-2026-33839HIGH

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.

12 May 2026
7.0
CVSS
CVE-2026-33838HIGH

Double free in Windows Message Queuing allows an authorized attacker to elevate privileges locally.

12 May 2026
7.8
CVSS
CVE-2026-33837HIGH

Heap-based buffer overflow in Windows TCP/IP allows an authorized attacker to elevate privileges locally.

12 May 2026
7.8
CVSS
CVE-2026-33835HIGH

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

12 May 2026
7.8
CVSS
CVE-2026-33834HIGH

Improper access control in Windows Event Logging Service allows an authorized attacker to elevate privileges locally.

12 May 2026
7.8
CVSS
CVE-2026-33821CRITICAL

Improper privilege management in Microsoft Dynamics 365 Customer Insights allows an authorized attacker to elevate privileges over a network.

12 May 2026
9.9
CVSS
CVE-2026-33117CRITICAL

Improper authentication in Azure SDK allows an unauthorized attacker to bypass a security feature over a network.

12 May 2026
9.1
CVSS
CVE-2026-33112HIGH

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

12 May 2026
8.8
CVSS
CVE-2026-33110HIGH

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

12 May 2026
8.8
CVSS
CVE-2026-32209MEDIUM

Improper access control in Windows Filtering Platform (WFP) allows an authorized attacker to bypass a security feature locally.

12 May 2026
4.4
CVSS
CVE-2026-32185MEDIUM

Files or directories accessible to external parties in Microsoft Teams allows an unauthorized attacker to perform spoofing locally.

12 May 2026
5.5
CVSS
CVE-2026-32170MEDIUM

Double free in Windows Rich Text Edit Control allows an authorized attacker to elevate privileges locally.

12 May 2026
6.7
CVSS
CVE-2026-32161HIGH

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Native WiFi Miniport Driver allows an unauthorized attacker to execute code over an adjacent network.

12 May 2026
7.5
CVSS
CVE-2026-21530MEDIUM

Double free in Windows Rich Text Edit allows an authorized attacker to elevate privileges locally.

12 May 2026
6.7
CVSS
CVE-2026-7432HIGH

A race condition in Ivanti Secure Access Client before 22.8R6 allows a locally authenticated user to escalate privileges to SYSTEM

12 May 2026
7.0
CVSS
CVE-2026-7431MEDIUM

An incorrect permission assignment for critical resource of Ivanti Secure Access Client   before 22.8R6 allows a local authenticated user to read or modify sensitive log data via write access to a shared memory section.

12 May 2026
4.4
CVSS
CVE-2026-42826HIGH

Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose information over a network.

8 May 2026
7.5
CVSS
CVE-2026-41105HIGH

Server-side request forgery (ssrf) in Azure Notification Service allows an authorized attacker to elevate privileges over a network.

8 May 2026
8.1
CVSS
CVE-2026-35435CRITICAL

Improper access control in Azure AI Foundry M365 published agents allows an unauthorized attacker to elevate privileges over a network.

8 May 2026
10.0
CVSS
CVE-2026-35428CRITICAL

Improper neutralization of special elements used in a command ('command injection') in Azure Cloud Shell allows an unauthorized attacker to perform spoofing over a network.

8 May 2026
9.6
CVSS
CVE-2026-34327HIGH

Externally controlled reference to a resource in another sphere in Microsoft Partner Center allows an unauthorized attacker to perform spoofing over a network.

8 May 2026
8.2
CVSS
CVE-2026-33844CRITICAL

Improper input validation in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.

8 May 2026
9.0
CVSS
CVE-2026-33823MEDIUM

Improper authorization in Microsoft Teams allows an authorized attacker to disclose information over a network.

8 May 2026
6.5
CVSS
CVE-2026-33111HIGH

Improper neutralization of special elements used in a command ('command injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a network.

8 May 2026
7.5
CVSS
CVE-2026-33109CRITICAL

Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.

8 May 2026
9.9
CVSS
CVE-2026-32207MEDIUM

Improper neutralization of input during web page generation ('cross-site scripting') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network.

8 May 2026
6.1
CVSS
CVE-2026-26164HIGH

Improper neutralization of special elements in output used by a downstream component ('injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.

8 May 2026
7.5
CVSS
CVE-2026-26129HIGH

Improper neutralization of special elements in M365 Copilot allows an unauthorized attacker to disclose information over a network.

8 May 2026
7.5
CVSS
CVE-2026-8022LOW

Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted MHTML page. (Chromium security severity: Low)

6 May 2026
3.1
CVSS
CVE-2026-8021MEDIUM

Script injection in UI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)

6 May 2026
4.2
CVSS
CVE-2026-8019MEDIUM

Insufficient policy enforcement in WebApp in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

6 May 2026
5.4
CVSS
CVE-2026-8018HIGH

Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to potentially perform a sandbox escape via malicious network traffic. (Chromium security severity: Low)

6 May 2026
8.1
CVSS
CVE-2026-8017LOW

Side-channel information leakage in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

6 May 2026
3.1
CVSS
← PrevPage 22 / 34Next →