M

Microsoft Security Vulnerabilities (CVE)

Explore vulnerabilities and security advisories affecting Microsoft products.

150 known CVE vulnerabilities tracked

Critical
13
High
104
Medium
31
Low
2
None
0

Vulnerabilities By Year

1
1997
1
2005
1
2008
5
2009
2
2010
4
2020
6
2021
37
2022
16
2023
1
2024
16
2025
60
2026

Products Affected

365 Apps 58 Windows 10 1607 17 .Net 5 Windows 11 24H2 4 Edge Chromium 4 Windows 10 4 Vp9 Video Extensions 3 Windows 10 21H2 3 Visual C\+\+ 3 365 Copilot 3 Malware Protection Engine 2 Partner Center 2 Windows 2000 2 Internet Explorer 2 365 Copilot Chat 2 Azure Managed Instance For Apache Cassandra 2 Teams 2 Office 2 Windows 11 23H2 2 Windows 10 1809 2 Windows Admin Center 1 Defender Antimalware Platform 1 Azure Cosmos Db 1 Remote Desktop Connection 1 Directx 1 Excel 1 Paint 3D 1 Heif Image Extension 1 Azure Machine Learning 1 Azure Cloud Shell 1

All Microsoft CVEs

Recent Highest Score Oldest
CVE-2026-45584
8.1 high

Heap-based buffer overflow in Microsoft Defender allows an unauthorized attacker to execute code over a network.

Malware Protection Engine May 20, 2026
CVE-2026-45498
4.0 medium

Microsoft Defender Denial of Service Vulnerability

Defender Antimalware Platform May 20, 2026
CVE-2026-42834
7.8 high

Improper link resolution before file access ('link following') in Azure Portal Windows Admin Center allows an authorized attacker to elevate privileges locally.

Windows Admin Center May 20, 2026
CVE-2026-41091
7.8 high

Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally.

Malware Protection Engine May 20, 2026
CVE-2026-45585
6.8 medium

Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices. We are issuing this CVE to provide mitigation guidance that can

Windows 11 24H2 May 20, 2026
CVE-2026-45495
8.8 high

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

Edge Chromium May 18, 2026
CVE-2026-45494
5.4 medium

Microsoft Edge (Chromium-based) Spoofing Vulnerability

Edge Chromium May 18, 2026
CVE-2026-45492
5.4 medium

Improper input validation in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.

Edge Chromium May 18, 2026
CVE-2026-42897
8.1 high

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

Exchange Server May 14, 2026
CVE-2026-41615
9.6 critical

Exposure of sensitive information to an unauthorized actor in Microsoft Authenticator allows an unauthorized attacker to disclose information over a network.

Authenticator May 14, 2026
CVE-2026-42833
9.1 critical

Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.

Dynamics 365 May 12, 2026
CVE-2026-41088
7.8 high

Access of resource using incompatible type ('type confusion') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.

Windows 10 21H2 May 12, 2026
CVE-2026-40421
4.3 medium

Files or directories accessible to external parties in Microsoft Office Word allows an unauthorized attacker to disclose information locally.

365 Apps May 12, 2026
CVE-2026-40420
8.8 high

Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.

365 Apps May 12, 2026
CVE-2026-40418
7.8 high

Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.

365 Apps May 12, 2026
CVE-2026-40417
7.8 high

Weak authentication in Dynamics Business Central allows an authorized attacker to elevate privileges locally.

Dynamics 365 Business Central May 12, 2026
CVE-2026-40414
7.4 high

Windows TCP/IP Denial of Service Vulnerability

Windows 10 1607 May 12, 2026
CVE-2026-40413
7.4 high

Windows TCP/IP Denial of Service Vulnerability

Windows 10 1607 May 12, 2026
CVE-2026-40401
7.1 high

Windows TCP/IP Denial of Service Vulnerability

Windows 10 1607 May 12, 2026
CVE-2026-40399
7.8 high

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an authorized attacker to elevate privileges locally.

Windows 10 1607 May 12, 2026
CVE-2026-40397
7.8 high

Heap-based buffer overflow in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.

Windows 10 1607 May 12, 2026
CVE-2026-40369
7.8 high

Heap-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally.

Windows 11 24H2 May 12, 2026
CVE-2026-40367
8.4 high

Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.

365 Apps May 12, 2026
CVE-2026-40366
8.4 high

Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.

365 Apps May 12, 2026