Microsoft CVEs & Vulnerabilities

1.621 CVEs affecting Microsoft products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

1.621 CVEs→ All vendors

Most Affected Products

windows 1.168windows server 2012 286windows 11 26h1 242windows server 2025 242windows 11 25h2 235windows 11 24h2 235windows server 2022 225windows 11 23h2 218
CVE-2026-42905HIGH

Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.

9 Jun 2026
7.8
CVSS
CVE-2026-42904CRITICAL

Heap-based buffer overflow in Windows TCP/IP allows an unauthorized attacker to elevate privileges over an adjacent network.

9 Jun 2026
9.6
CVSS
CVE-2026-42903MEDIUM

Null pointer dereference in Windows Kerberos allows an authorized attacker to deny service over a network.

9 Jun 2026
6.5
CVSS
CVE-2026-42902HIGH

Improper authorization in Microsoft PowerToys allows an authorized attacker to elevate privileges locally.

9 Jun 2026
7.8
CVSS
CVE-2026-42837HIGH

Buffer over-read in Windows Projected File System Filter Driver allows an authorized attacker to elevate privileges locally.

9 Jun 2026
7.8
CVSS
CVE-2026-42836HIGH

Concurrent execution using shared resource with improper synchronization ('race condition') in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally.

9 Jun 2026
7.0
CVSS
CVE-2026-42835HIGH

Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Teams for Android allows an authorized attacker to disclose information over a network.

9 Jun 2026
8.1
CVSS
CVE-2026-42829HIGH

Improper access control in Windows Administrator Protection allows an authorized attacker to bypass a security feature locally.

9 Jun 2026
7.8
CVSS
CVE-2026-42828HIGH

Buffer over-read in Windows Projected File System Filter Driver allows an authorized attacker to elevate privileges locally.

9 Jun 2026
7.8
CVSS
CVE-2026-41108HIGH

Heap-based buffer overflow in Microsoft Windows DNS allows an authorized attacker to elevate privileges locally.

9 Jun 2026
7.0
CVSS
CVE-2026-41092HIGH

Improper access control in Microsoft Kinect allows an authorized attacker to elevate privileges locally.

9 Jun 2026
7.8
CVSS
CVE-2026-40409HIGH

Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability

9 Jun 2026
7.8
CVSS
CVE-2026-40404HIGH

Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability

9 Jun 2026
7.8
CVSS
CVE-2026-40376HIGH

Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.

9 Jun 2026
8.1
CVSS
CVE-2026-34335HIGH

Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.

9 Jun 2026
7.0
CVSS
CVE-2026-33828HIGH

Trust boundary violation in Windows Attestation allows an authorized attacker to elevate privileges locally.

9 Jun 2026
7.8
CVSS
CVE-2026-33113MEDIUM

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

9 Jun 2026
6.1
CVSS
CVE-2026-11701MEDIUM

Inappropriate implementation in Guest View in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

9 Jun 2026
5.4
CVSS
CVE-2026-11700HIGH

Use after free in Tracing in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

9 Jun 2026
8.3
CVSS
CVE-2026-11697CRITICAL

Insufficient validation of untrusted input in UI in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
9.6
CVSS
CVE-2026-11696MEDIUM

Uninitialized Use in Video in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
5.3
CVSS
CVE-2026-11695MEDIUM

Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
4.3
CVSS
CVE-2026-11694HIGH

Use after free in ServiceWorker in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
7.5
CVSS
CVE-2026-11693HIGH

Inappropriate implementation in Plugins in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
8.1
CVSS
CVE-2026-11692HIGH

Use after free in Read Anything in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
8.3
CVSS
CVE-2026-11691LOW

Insufficient validation of untrusted input in New Tab Page in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
3.1
CVSS
CVE-2026-11689HIGH

Insufficient policy enforcement in Passwords in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
8.1
CVSS
CVE-2026-11688HIGH

Inappropriate implementation in SVG in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
8.8
CVSS
CVE-2026-11684LOW

Insufficient policy enforcement in Network in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the utility process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
3.1
CVSS
CVE-2026-11683HIGH

Use after free in WebCodecs in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
8.8
CVSS
CVE-2026-11680HIGH

Use after free in Media in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
8.8
CVSS
CVE-2026-11679HIGH

Use after free in Codecs in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
8.3
CVSS
CVE-2026-11678MEDIUM

Integer overflow in libyuv in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
5.3
CVSS
CVE-2026-11675LOW

Out of bounds read in Skia in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
3.1
CVSS
CVE-2026-11674HIGH

Use after free in Guest View in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
8.8
CVSS
CVE-2026-11673HIGH

Use after free in InterestGroups in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
8.8
CVSS
CVE-2026-11671CRITICAL

Use after free in Navigation in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
9.6
CVSS
CVE-2026-11670HIGH

Use after free in PDF in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)

9 Jun 2026
8.8
CVSS
CVE-2026-11667HIGH

Out of bounds read in WebRTC in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the GPU process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
7.5
CVSS
CVE-2026-11666MEDIUM

Insufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
5.4
CVSS
CVE-2026-11665MEDIUM

Out of bounds read in Dawn in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
4.3
CVSS
CVE-2026-11664HIGH

Use after free in Payments in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
8.8
CVSS
CVE-2026-11663HIGH

Use after free in Skia in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
8.3
CVSS
CVE-2026-11662HIGH

Type Confusion in Bindings in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
8.8
CVSS
CVE-2026-11661HIGH

Use after free in Views in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
8.3
CVSS
CVE-2026-11660HIGH

Insufficient validation of untrusted input in New Tab Page in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
8.3
CVSS
CVE-2026-11658MEDIUM

Insufficient validation of untrusted input in Extensions in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

9 Jun 2026
6.5
CVSS
CVE-2026-11656HIGH

Use after free in ServiceWorker in Google Chrome prior to 149.0.7827.103 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. (Chromium security severity: High)

9 Jun 2026
8.3
CVSS
← PrevPage 9 / 34Next →