M

Microsoft Security Vulnerabilities (CVE)

Explore vulnerabilities and security advisories affecting Microsoft products.

121 known CVE vulnerabilities tracked

Critical
12
High
79
Medium
28
Low
2
None
0

Vulnerabilities By Year

1
1997
1
2005
1
2008
5
2009
2
2010
4
2020
6
2021
37
2022
16
2023
1
2024
16
2025
31
2026

Products Affected

365 Apps 49 Windows 10 1607 7 .Net 5 Edge Chromium 4 Windows 10 4 Vp9 Video Extensions 3 Visual C\+\+ 3 365 Copilot 3 Windows 11 24H2 2 Malware Protection Engine 2 Partner Center 2 Windows 2000 2 Internet Explorer 2 365 Copilot Chat 2 Azure Managed Instance For Apache Cassandra 2 Teams 2 Office 2 Windows 10 21H2 2 Windows Admin Center 1 Defender Antimalware Platform 1 Azure Cosmos Db 1 Remote Desktop Connection 1 Directx 1 Excel 1 Paint 3D 1 Heif Image Extension 1 Azure Machine Learning 1 Azure Cloud Shell 1 Azure Ai Foundry 1 Azure Devops 1

All Microsoft CVEs

Recent Highest Score Oldest
CVE-2026-32077
7.8 high

Untrusted pointer dereference in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally.

Windows 10 1607 Apr 14, 2026
CVE-2026-26128
7.8 high

Improper authentication in Windows SMB Server allows an authorized attacker to elevate privileges locally.

Windows 10 1607 Mar 10, 2026
CVE-2026-25187
7.8 high

Improper link resolution before file access ('link following') in Winlogon allows an authorized attacker to elevate privileges locally.

Windows 10 1607 Mar 10, 2026
CVE-2026-20931
8.0 high

External control of file name or path in Windows Telephony Service allows an authorized attacker to elevate privileges over an adjacent network.

Windows 10 1607 Jan 13, 2026
CVE-2026-20921
7.5 high

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network.

Windows 10 1607 Jan 13, 2026
CVE-2026-20864
7.8 high

Heap-based buffer overflow in Connected Devices Platform Service (Cdpsvc) allows an authorized attacker to elevate privileges locally.

Windows 10 1809 Jan 13, 2026
CVE-2026-20817
7.8 high

Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally.

Windows 10 21H2 Jan 13, 2026
CVE-2025-64675
8.3 high

Improper neutralization of input during web page generation ('cross-site scripting') in Azure Cosmos DB allows an unauthorized attacker to perform spoofing over a network.

Azure Cosmos Db Dec 19, 2025
CVE-2025-65046
3.1 low

Microsoft Edge (Chromium-based) Spoofing Vulnerability

Edge Chromium Dec 18, 2025
CVE-2025-65037
10.0 critical

Improper control of generation of code ('code injection') in Azure Container Apps allows an unauthorized attacker to execute code over a network.

Azure Container Apps Dec 18, 2025
CVE-2025-64677
8.2 high

Improper neutralization of input during web page generation ('cross-site scripting') in Office Out-of-Box Experience allows an unauthorized attacker to perform spoofing over a network.

Office Out-Of-Box Experience Dec 18, 2025
CVE-2025-65041
10.0 critical

Improper authorization in Microsoft Partner Center allows an unauthorized attacker to elevate privileges over a network.

Partner Center Dec 18, 2025
CVE-2025-64676
7.2 high

'.../...//' in Microsoft Purview allows an authorized attacker to execute code over a network.

Purview Dec 18, 2025
CVE-2025-64663
9.9 critical

Custom Question Answering Elevation of Privilege Vulnerability

Azure Language Dec 18, 2025
CVE-2025-49696
8.4 high

Out-of-bounds read in Microsoft Office allows an unauthorized attacker to execute code locally.

365 Apps Jul 8, 2025
CVE-2025-49695
8.4 high

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

365 Apps Jul 8, 2025
CVE-2025-47953
8.4 high

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

365 Apps Jun 10, 2025
CVE-2025-47167
8.4 high

Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.

365 Apps Jun 10, 2025
CVE-2025-47164
8.4 high

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

365 Apps Jun 10, 2025
CVE-2025-47162
8.4 high

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

365 Apps Jun 10, 2025
CVE-2025-30388
7.8 high

Heap-based buffer overflow in Windows Win32K - GRFX allows an unauthorized attacker to execute code locally.

365 Copilot May 13, 2025
CVE-2025-30386
8.4 high

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

365 Apps May 13, 2025
CVE-2025-26687
7.5 high

Use after free in Windows Win32K - GRFX allows an unauthorized attacker to elevate privileges over a network.

365 Copilot Apr 8, 2025
CVE-2024-38250
7.8 high

Windows Graphics Component Elevation of Privilege Vulnerability

365 Copilot Sep 10, 2024