Back to board Open MSRC
MSRC compact vulnerability detail

CVE-2026-32191 · Microsoft Bing Images Remote Code Execution Vulnerability

Improper neutralization of special elements used in an os command ('os command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network.

Severity
Critical
Impact
Remote Code Execution
CVSS
9.8 base · 8.5 temporal
Release
2026-03-19
Signals
Microsoft Bing Images Remote Code Execution Exploited: No Publicly disclosed: No Exploitability: N/A
CWE
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Patch Diff
Loading module diff metadata...
Resolved binary override
Use this when the MSRC module name cannot be mapped automatically or the resolved binary looks wrong.
Old version New version
Description
Improper neutralization of special elements used in an os command ('os command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network.
FAQ / Articles
FAQ
Why are there no links to an update or instructions with steps that must be taken to protect from this vulnerability? This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency. Please see Toward greater transparency: Unveiling Cloud Service CVEs for more information.
Microsoft Bing Images Remote Code Execution Vulnerability
Improper neutralization of special elements used in an os command ('os command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network.