Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-32184 (GCVE-0-2026-32184)
Vulnerability from cvelistv5 – Published: 2026-04-14 16:57 – Updated: 2026-05-12 17:38
VLAI
EPSS
Title
Microsoft High Performance Compute (HPC) Pack Elevation of Privilege Vulnerability
Summary
Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an authorized attacker to elevate privileges locally.
Severity
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerabi… | vendor-advisorypatch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Microsoft HPC Pack 2019 |
Affected:
1.0.0 , < 6.3.8355
(custom)
|
Date Public
2026-04-14 14:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32184",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T03:56:38.802Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Microsoft HPC Pack 2019",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "6.3.8355",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:microsoft_hpc_pack_2019:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.8355",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2026-04-14T14:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an authorized attacker to elevate privileges locally."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T17:38:29.760Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Microsoft High Performance Compute (HPC) Pack Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32184"
}
],
"title": "Microsoft High Performance Compute (HPC) Pack Elevation of Privilege Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2026-32184",
"datePublished": "2026-04-14T16:57:33.267Z",
"dateReserved": "2026-03-11T00:26:53.426Z",
"dateUpdated": "2026-05-12T17:38:29.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-32184",
"date": "2026-05-26",
"epss": "0.00581",
"percentile": "0.69091"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-32184\",\"sourceIdentifier\":\"secure@microsoft.com\",\"published\":\"2026-04-14T18:17:21.777\",\"lastModified\":\"2026-05-06T18:12:55.463\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an authorized attacker to elevate privileges locally.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secure@microsoft.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"secure@microsoft.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:hpc_pack:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"6.3.8355\",\"matchCriteriaId\":\"A5A3FA6E-AF3D-44A0-ADDB-EBA1A2924F26\"}]}]}],\"references\":[{\"url\":\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32184\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32184\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-14T19:30:49.435525Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-14T19:30:54.582Z\"}}], \"cna\": {\"title\": \"Microsoft High Performance Compute (HPC) Pack Elevation of Privilege Vulnerability\", \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C\"}, \"scenarios\": [{\"lang\": \"en-US\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Microsoft\", \"product\": \"Microsoft HPC Pack 2019\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0\", \"lessThan\": \"6.3.8355\", \"versionType\": \"custom\"}]}], \"datePublic\": \"2026-04-14T14:00:00.000Z\", \"references\": [{\"url\": \"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32184\", \"name\": \"Microsoft High Performance Compute (HPC) Pack Elevation of Privilege Vulnerability\", \"tags\": [\"vendor-advisory\", \"patch\"]}], \"descriptions\": [{\"lang\": \"en-US\", \"value\": \"Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an authorized attacker to elevate privileges locally.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en-US\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502: Deserialization of Untrusted Data\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:microsoft:microsoft_hpc_pack_2019:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.3.8355\", \"versionStartIncluding\": \"1.0.0\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"f38d906d-7342-40ea-92c1-6c4a2c6478c8\", \"shortName\": \"microsoft\", \"dateUpdated\": \"2026-05-12T17:38:29.760Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-32184\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-12T17:38:29.760Z\", \"dateReserved\": \"2026-03-11T00:26:53.426Z\", \"assignerOrgId\": \"f38d906d-7342-40ea-92c1-6c4a2c6478c8\", \"datePublished\": \"2026-04-14T16:57:33.267Z\", \"assignerShortName\": \"microsoft\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
CERTFR-2026-AVI-0445
Vulnerability from certfr_avis - Published: 2026-04-15 - Updated: 2026-04-15
De multiples vulnérabilités ont été découvertes dans les produits Microsoft. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Microsoft indique que la vulnérabilité CVE-2026-32201 est activement exploitée.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Microsoft | N/A | Microsoft SharePoint Server Subscription Edition versions antérieures à 16.0.19725.20210 | ||
| Microsoft | N/A | azl3 rubygem-addressable 2.8.5-2 versions antérieures à 2.9.0-1 | ||
| Microsoft | N/A | Microsoft Power Apps versions antérieures à 3.26032.10.0 | ||
| Microsoft | N/A | Microsoft SQL Server 2019 pour systèmes x64 (GDR) versions antérieures à 15.0.2165.1 | ||
| Microsoft | N/A | Microsoft Visual Studio 2017 version 15.9 (inclus 15.0 - 15.8) antérieures à 15.9.79 | ||
| Microsoft | N/A | Microsoft SQL Server 2022 pour systèmes x64 (GDR) versions antérieures à 16.0.1175.1 | ||
| Microsoft | N/A | Microsoft Visual Studio Code CoPilot Chat Extension versions antérieures à 0.37.3 | ||
| Microsoft | N/A | Microsoft Visual Studio 2022 version 17.14 antérieures à 17.14.30 | ||
| Microsoft | N/A | Microsoft SQL Server 2022 pour systèmes x64 (CU 24) versions antérieures à 16.0.4250.1 | ||
| Microsoft | N/A | Microsoft SQL Server 2017 pour systèmes x64 (CU 31) versions antérieures à 14.0.3525.1 | ||
| Microsoft | N/A | Microsoft Visual Studio 2022 version 17.12 antérieures à 17.12.19 | ||
| Microsoft | N/A | Microsoft SharePoint Server 2019 versions antérieures à 16.0.10417.20114 | ||
| Microsoft | N/A | azl3 libpng 1.6.56-1 versions antérieures à 1.6.57-1 | ||
| Microsoft | N/A | Microsoft Visual Studio 2019 version 16.4 (inclus 16.0 - 16.3) antérieures à 16.11.55 | ||
| Microsoft | N/A | Microsoft SQL Server 2016 pour systèmes x64 Service Pack 3 Azure Connect Feature Pack versions antérieures à 13.0.7080.1 | ||
| Microsoft | N/A | Microsoft Visual Studio 2019 version 16.11 (inclus 16.0 - 16.10) antérieures à 16.11.55 | ||
| Microsoft | N/A | Microsoft SQL Server 2025 pour systèmes x64 (GDR) versions antérieures à 17.0.1110.1 | ||
| Microsoft | N/A | Microsoft SQL Server 2019 pour systèmes x64 (CU 32) versions antérieures à 15.0.4465.1 | ||
| Microsoft | N/A | Microsoft SQL Server 2017 pour systèmes x64 (GDR) versions antérieures à 14.0.2105.1 | ||
| Microsoft | N/A | Microsoft SharePoint Enterprise Server 2016 versions antérieures à 16.0.5548.1003 | ||
| Microsoft | N/A | Microsoft Defender Antimalware Platform versions antérieures à 4.18.26030.3011 | ||
| Microsoft | N/A | Microsoft HPC Pack 2019 versions antérieures à 6.3.8355 | ||
| Microsoft | N/A | azl3 golang 1.25.8-1 versions antérieures à 1.25.9-1 | ||
| Microsoft | N/A | Microsoft SQL Server 2016 pour systèmes x64 Service Pack 3 (GDR) versions antérieures à 13.0.6485.1 | ||
| Microsoft | N/A | Microsoft Dynamics 365 (on-premises) version 9.0 antérieures à 9.1.0044.0015 | ||
| Microsoft | N/A | Microsoft SQL Server 2025 pour systèmes x64 (CU3) versions antérieures à 17.0.4030.1 | ||
| Microsoft | N/A | PowerShell 7.5 versions antérieures à 7.5.5 | ||
| Microsoft | N/A | PowerShell 7.4 versions antérieures à 7.4.14 | ||
| Microsoft | N/A | azl3 golang 1.26.1-1 versions antérieures à 1.26.2-1 | ||
| Microsoft | N/A | azl3 libexif 0.6.24-2 versions antérieures à 0.6.24-3 |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Microsoft SharePoint Server Subscription Edition versions ant\u00e9rieures \u00e0 16.0.19725.20210",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 rubygem-addressable 2.8.5-2 versions ant\u00e9rieures \u00e0 2.9.0-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Power Apps versions ant\u00e9rieures \u00e0 3.26032.10.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft SQL Server 2019 pour syst\u00e8mes x64 (GDR) versions ant\u00e9rieures \u00e0 15.0.2165.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Visual Studio 2017 version 15.9 (inclus 15.0 - 15.8) ant\u00e9rieures \u00e0 15.9.79",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft SQL Server 2022 pour syst\u00e8mes x64 (GDR) versions ant\u00e9rieures \u00e0 16.0.1175.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Visual Studio Code CoPilot Chat Extension versions ant\u00e9rieures \u00e0 0.37.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Visual Studio 2022 version 17.14 ant\u00e9rieures \u00e0 17.14.30",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft SQL Server 2022 pour syst\u00e8mes x64 (CU 24) versions ant\u00e9rieures \u00e0 16.0.4250.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft SQL Server 2017 pour syst\u00e8mes x64 (CU 31) versions ant\u00e9rieures \u00e0 14.0.3525.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Visual Studio 2022 version 17.12 ant\u00e9rieures \u00e0 17.12.19",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft SharePoint Server 2019 versions ant\u00e9rieures \u00e0 16.0.10417.20114",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 libpng 1.6.56-1 versions ant\u00e9rieures \u00e0 1.6.57-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Visual Studio 2019 version 16.4 (inclus 16.0 - 16.3) ant\u00e9rieures \u00e0 16.11.55",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft SQL Server 2016 pour syst\u00e8mes x64 Service Pack 3 Azure Connect Feature Pack versions ant\u00e9rieures \u00e0 13.0.7080.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Visual Studio 2019 version 16.11 (inclus 16.0 - 16.10) ant\u00e9rieures \u00e0 16.11.55",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft SQL Server 2025 pour syst\u00e8mes x64 (GDR) versions ant\u00e9rieures \u00e0 17.0.1110.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft SQL Server 2019 pour syst\u00e8mes x64 (CU 32) versions ant\u00e9rieures \u00e0 15.0.4465.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft SQL Server 2017 pour syst\u00e8mes x64 (GDR) versions ant\u00e9rieures \u00e0 14.0.2105.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft SharePoint Enterprise Server 2016 versions ant\u00e9rieures \u00e0 16.0.5548.1003",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Defender Antimalware Platform versions ant\u00e9rieures \u00e0 4.18.26030.3011",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft HPC Pack 2019 versions ant\u00e9rieures \u00e0 6.3.8355",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 golang 1.25.8-1 versions ant\u00e9rieures \u00e0 1.25.9-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft SQL Server 2016 pour syst\u00e8mes x64 Service Pack 3 (GDR) versions ant\u00e9rieures \u00e0 13.0.6485.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Dynamics 365 (on-premises) version 9.0 ant\u00e9rieures \u00e0 9.1.0044.0015",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft SQL Server 2025 pour syst\u00e8mes x64 (CU3) versions ant\u00e9rieures \u00e0 17.0.4030.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "PowerShell 7.5 versions ant\u00e9rieures \u00e0 7.5.5",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "PowerShell 7.4 versions ant\u00e9rieures \u00e0 7.4.14",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 golang 1.26.1-1 versions ant\u00e9rieures \u00e0 1.26.2-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 libexif 0.6.24-2 versions ant\u00e9rieures \u00e0 0.6.24-3",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-20945",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-20945"
},
{
"name": "CVE-2026-21637",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21637"
},
{
"name": "CVE-2026-35611",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-35611"
},
{
"name": "CVE-2026-40385",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40385"
},
{
"name": "CVE-2026-26143",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26143"
},
{
"name": "CVE-2026-32631",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32631"
},
{
"name": "CVE-2026-32167",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32167"
},
{
"name": "CVE-2026-34757",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34757"
},
{
"name": "CVE-2026-33120",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33120"
},
{
"name": "CVE-2026-33825",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33825"
},
{
"name": "CVE-2026-23653",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23653"
},
{
"name": "CVE-2026-26149",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26149"
},
{
"name": "CVE-2026-32184",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32184"
},
{
"name": "CVE-2026-32203",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32203"
},
{
"name": "CVE-2026-32201",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32201"
},
{
"name": "CVE-2026-32178",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32178"
},
{
"name": "CVE-2026-33810",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33810"
},
{
"name": "CVE-2026-40386",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40386"
},
{
"name": "CVE-2026-33103",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33103"
},
{
"name": "CVE-2026-32176",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32176"
}
],
"initial_release_date": "2026-04-15T00:00:00",
"last_revision_date": "2026-04-15T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0445",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-04-15T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Microsoft. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.\n\nMicrosoft indique que la vuln\u00e9rabilit\u00e9 CVE-2026-32201 est activement exploit\u00e9e.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
"vendor_advisories": [
{
"published_at": "2026-04-11",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-35611",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35611"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-26143",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26143"
},
{
"published_at": "2026-04-12",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-34757",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34757"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-33103",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33103"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-32178",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32178"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-32176",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32176"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-32167",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32167"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-32631",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32631"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-32203",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32203"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-32184",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32184"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-32201",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32201"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-20945",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20945"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-21637",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21637"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23653",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23653"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-33825",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825"
},
{
"published_at": "2026-04-11",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-33810",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33810"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-40385",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40385"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-40386",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40386"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-33120",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33120"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-26149",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26149"
}
]
}
FKIE_CVE-2026-32184
Vulnerability from fkie_nvd - Published: 2026-04-14 18:17 - Updated: 2026-05-06 18:12
Severity
Summary
Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an authorized attacker to elevate privileges locally.
References
| URL | Tags | ||
|---|---|---|---|
| secure@microsoft.com | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32184 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:hpc_pack:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A5A3FA6E-AF3D-44A0-ADDB-EBA1A2924F26",
"versionEndExcluding": "6.3.8355",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an authorized attacker to elevate privileges locally."
}
],
"id": "CVE-2026-32184",
"lastModified": "2026-05-06T18:12:55.463",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "secure@microsoft.com",
"type": "Primary"
}
]
},
"published": "2026-04-14T18:17:21.777",
"references": [
{
"source": "secure@microsoft.com",
"tags": [
"Vendor Advisory"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32184"
}
],
"sourceIdentifier": "secure@microsoft.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "secure@microsoft.com",
"type": "Primary"
}
]
}
GHSA-C6VR-GRF8-R7QJ
Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-04-14 18:30
VLAI
Details
Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an authorized attacker to elevate privileges locally.
Severity
7.8 (High)
{
"affected": [],
"aliases": [
"CVE-2026-32184"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-14T18:17:21Z",
"severity": "HIGH"
},
"details": "Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-c6vr-grf8-r7qj",
"modified": "2026-04-14T18:30:41Z",
"published": "2026-04-14T18:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32184"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32184"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
MSRC_CVE-2026-32184
Vulnerability from csaf_microsoft - Published: 2026-04-14 07:00 - Updated: 2026-04-14 07:00Summary
Microsoft High Performance Compute (HPC) Pack Elevation of Privilege Vulnerability
Severity
Important
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Customer Action: Required. The vulnerability documented by this CVE requires customer action to resolve.
CWE-502
- Deserialization of Untrusted Data
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Microsoft HPC Pack 2019 6.3.8355
Microsoft HPC Pack 2019
|
6.3.8355 |
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Microsoft HPC Pack 2019 <6.3.8355
Microsoft HPC Pack 2019
|
<6.3.8355 |
Vendor Fix
fix
|
Threats
Impact
Elevation of Privilege
Exploit Status
Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely
References
7 references
| URL | Category |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerabi… | self |
| https://msrc.microsoft.com/csaf/advisories/2026/m… | self |
| https://www.microsoft.com/en-us/msrc/exploitabili… | external |
| https://support.microsoft.com/lifecycle | external |
| https://www.first.org/cvss | external |
| https://msrc.microsoft.com/update-guide/vulnerabi… | self |
| https://msrc.microsoft.com/csaf/advisories/2026/m… | self |
Acknowledgments
Long Zhang
Long Zhang
{
"document": {
"acknowledgments": [
{
"names": [
"Long Zhang"
]
},
{
"names": [
"Long Zhang"
]
}
],
"aggregate_severity": {
"namespace": "https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
},
{
"category": "general",
"text": "Required. The vulnerability documented by this CVE requires customer action to resolve.",
"title": "Customer Action"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2026-32184 Microsoft High Performance Compute (HPC) Pack Elevation of Privilege Vulnerability - HTML",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32184"
},
{
"category": "self",
"summary": "CVE-2026-32184 Microsoft High Performance Compute (HPC) Pack Elevation of Privilege Vulnerability - CSAF",
"url": "https://msrc.microsoft.com/csaf/advisories/2026/msrc_cve-2026-32184.json"
},
{
"category": "external",
"summary": "Microsoft Exploitability Index",
"url": "https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "Microsoft High Performance Compute (HPC) Pack Elevation of Privilege Vulnerability",
"tracking": {
"current_release_date": "2026-04-14T07:00:00.000Z",
"generator": {
"date": "2026-04-14T16:56:51.828Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2026-32184",
"initial_release_date": "2026-04-14T07:00:00.000Z",
"revision_history": [
{
"date": "2026-04-14T07:00:00.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c6.3.8355",
"product": {
"name": "Microsoft HPC Pack 2019 \u003c6.3.8355",
"product_id": "1"
}
},
{
"category": "product_version",
"name": "6.3.8355",
"product": {
"name": "Microsoft HPC Pack 2019 6.3.8355",
"product_id": "12455"
}
}
],
"category": "product_name",
"name": "Microsoft HPC Pack 2019"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32184",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"notes": [
{
"category": "general",
"text": "Microsoft",
"title": "Assigning CNA"
},
{
"category": "faq",
"text": "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.",
"title": "What privileges could be gained by an attacker who successfully exploited this vulnerability?"
},
{
"category": "faq",
"text": "Customers should install the latest security update for HPC Pack 2019 Update 3 on affected systems. Microsoft has released HPC Pack 2019 Update 3 Fixes (Build 6.3.8355), which includes all previously released fixes for this vulnerability. Customers running HPC Pack 2019 Update 3 can apply this update directly, regardless of whether earlier fixes were installed. Customers using earlier versions of HPC Pack must first upgrade to HPC Pack 2019 Update 3 (Build 6.3.8328) before applying the fix. HPC Pack 2016 is not supported for this update; customers using that version must migrate to HPC Pack 2019 Update 3 to be protected. This update applies only to head nodes and updates a limited set of binaries related to the HPC Scheduler and Management services. Other node types are not affected and do not require action.\nNo. There are no QFE updates available for HPC Pack 2016. Customers using HPC Pack 2016 must migrate to HPC Pack 2019 Update 3 and then apply the available QFE to receive the fix.\nNo. The QFE only needs to be applied to the head nodes of the HPC Pack cluster. Compute nodes are not affected and do not require the update.",
"title": "What do customers need to do to mitigate this vulnerability?"
}
],
"product_status": {
"fixed": [
"12455"
],
"known_affected": [
"1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-32184 Microsoft High Performance Compute (HPC) Pack Elevation of Privilege Vulnerability - HTML",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32184"
},
{
"category": "self",
"summary": "CVE-2026-32184 Microsoft High Performance Compute (HPC) Pack Elevation of Privilege Vulnerability - CSAF",
"url": "https://msrc.microsoft.com/csaf/advisories/2026/msrc_cve-2026-32184.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-14T07:00:00.000Z",
"details": "6.3.8355:Security Update:https://github.com/Azure/hpcpack/blob/master/CHANGELOG.md#hpc-pack-2019-update-3-qfe-kb5081004-638355---2212026",
"product_ids": [
"1"
],
"url": "https://github.com/Azure/hpcpack/blob/master/CHANGELOG.md#hpc-pack-2019-update-3-qfe-kb5081004-638355---2212026"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalsScore": 0.0,
"exploitCodeMaturity": "UNPROVEN",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 6.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Elevation of Privilege"
},
{
"category": "exploit_status",
"details": "Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely"
}
],
"title": "Microsoft High Performance Compute (HPC) Pack Elevation of Privilege Vulnerability"
}
]
}
NCSC-2026-0117
Vulnerability from csaf_ncscnl - Published: 2026-04-14 19:23 - Updated: 2026-04-14 19:23Summary
Kwetsbaarheden verholpen in Microsoft Azure
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten: Microsoft heeft kwetsbaarheden verholpen in diverse Azure componenten.
Interpretaties: Een kwaadwillende kan deze kwetsbaarheden misbruiken doordat meerdere Azure- en Microsoft-componenten invoer onvoldoende valideren of niet-vertrouwde data onveilig verwerken, waardoor een geautoriseerde aanvaller lokaal of via het netwerk zijn rechten kan verhogen.
```
Microsoft High Performance Compute Pack (HPC):
|----------------|------|-------------------------------------|
| CVE-ID | CVSS | Impact |
|----------------|------|-------------------------------------|
| CVE-2026-32184 | 7,80 | Verkrijgen van verhoogde rechten |
|----------------|------|-------------------------------------|
Azure Monitor Agent:
|----------------|------|-------------------------------------|
| CVE-ID | CVSS | Impact |
|----------------|------|-------------------------------------|
| CVE-2026-32168 | 7,80 | Verkrijgen van verhoogde rechten |
| CVE-2026-32192 | 7,80 | Verkrijgen van verhoogde rechten |
|----------------|------|-------------------------------------|
Azure Logic Apps:
|----------------|------|-------------------------------------|
| CVE-ID | CVSS | Impact |
|----------------|------|-------------------------------------|
| CVE-2026-32171 | 8,80 | Verkrijgen van verhoogde rechten |
|----------------|------|-------------------------------------|
```
Oplossingen: Microsoft heeft updates beschikbaar gesteld waarmee de beschreven kwetsbaarheden worden verholpen. We raden u aan om deze updates te installeren. Meer informatie over de kwetsbaarheden, de installatie van de updates en eventuele work-arounds vindt u op:
https://portal.msrc.microsoft.com/en-us/security-guidance
Kans: medium
Schade: high
CWE-502: Deserialization of Untrusted Data
CWE-522: Insufficiently Protected Credentials
CWE-20: Improper Input Validation
An improper input validation vulnerability in the Azure Monitor Agent enables an authorized attacker to perform local privilege escalation.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Microsoft / Azure Logic Apps
|
vers:unknown/* | ||
|
vers:unknown/*
Microsoft / Azure Monitor
|
vers:unknown/* | ||
|
vers:unknown/*
Microsoft / Azure Monitor Agent
|
vers:unknown/* | ||
|
vers:unknown/*
Microsoft / Microsoft HPC Pack 2019
|
vers:unknown/* |
Insufficiently protected credentials in Azure Logic Apps allow an authorized attacker to elevate privileges over a network, posing a significant security risk.
CWE-522 - Insufficiently Protected CredentialsAffected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Microsoft / Azure Logic Apps
|
vers:unknown/* | ||
|
vers:unknown/*
Microsoft / Azure Monitor
|
vers:unknown/* | ||
|
vers:unknown/*
Microsoft / Azure Monitor Agent
|
vers:unknown/* | ||
|
vers:unknown/*
Microsoft / Microsoft HPC Pack 2019
|
vers:unknown/* |
A deserialization vulnerability in Microsoft High Performance Compute Pack (HPC) enables an authorized local attacker to elevate privileges by processing untrusted data.
CWE-502 - Deserialization of Untrusted DataAffected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Microsoft / Azure Logic Apps
|
vers:unknown/* | ||
|
vers:unknown/*
Microsoft / Azure Monitor
|
vers:unknown/* | ||
|
vers:unknown/*
Microsoft / Azure Monitor Agent
|
vers:unknown/* | ||
|
vers:unknown/*
Microsoft / Microsoft HPC Pack 2019
|
vers:unknown/* |
A deserialization vulnerability in Azure Monitor Agent allows an authorized attacker to locally elevate privileges by processing untrusted data.
CWE-502 - Deserialization of Untrusted DataAffected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Microsoft / Azure Logic Apps
|
vers:unknown/* | ||
|
vers:unknown/*
Microsoft / Azure Monitor
|
vers:unknown/* | ||
|
vers:unknown/*
Microsoft / Azure Monitor Agent
|
vers:unknown/* | ||
|
vers:unknown/*
Microsoft / Microsoft HPC Pack 2019
|
vers:unknown/* |
References
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "Microsoft heeft kwetsbaarheden verholpen in diverse Azure componenten.",
"title": "Feiten"
},
{
"category": "description",
"text": "Een kwaadwillende kan deze kwetsbaarheden misbruiken doordat meerdere Azure- en Microsoft-componenten invoer onvoldoende valideren of niet-vertrouwde data onveilig verwerken, waardoor een geautoriseerde aanvaller lokaal of via het netwerk zijn rechten kan verhogen.\n\n```\nMicrosoft High Performance Compute Pack (HPC): \n|----------------|------|-------------------------------------|\n| CVE-ID | CVSS | Impact |\n|----------------|------|-------------------------------------|\n| CVE-2026-32184 | 7,80 | Verkrijgen van verhoogde rechten | \n|----------------|------|-------------------------------------|\n\nAzure Monitor Agent: \n|----------------|------|-------------------------------------|\n| CVE-ID | CVSS | Impact |\n|----------------|------|-------------------------------------|\n| CVE-2026-32168 | 7,80 | Verkrijgen van verhoogde rechten | \n| CVE-2026-32192 | 7,80 | Verkrijgen van verhoogde rechten | \n|----------------|------|-------------------------------------|\n\nAzure Logic Apps: \n|----------------|------|-------------------------------------|\n| CVE-ID | CVSS | Impact |\n|----------------|------|-------------------------------------|\n| CVE-2026-32171 | 8,80 | Verkrijgen van verhoogde rechten | \n|----------------|------|-------------------------------------|\n\n```",
"title": "Interpretaties"
},
{
"category": "description",
"text": "Microsoft heeft updates beschikbaar gesteld waarmee de beschreven kwetsbaarheden worden verholpen. We raden u aan om deze updates te installeren. Meer informatie over de kwetsbaarheden, de installatie van de updates en eventuele work-arounds vindt u op:\n\nhttps://portal.msrc.microsoft.com/en-us/security-guidance",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Deserialization of Untrusted Data",
"title": "CWE-502"
},
{
"category": "general",
"text": "Insufficiently Protected Credentials",
"title": "CWE-522"
},
{
"category": "general",
"text": "Improper Input Validation",
"title": "CWE-20"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"title": "Kwetsbaarheden verholpen in Microsoft Azure",
"tracking": {
"current_release_date": "2026-04-14T19:23:30.733725Z",
"generator": {
"date": "2025-08-04T16:30:00Z",
"engine": {
"name": "V.A.",
"version": "1.3"
}
},
"id": "NCSC-2026-0117",
"initial_release_date": "2026-04-14T19:23:30.733725Z",
"revision_history": [
{
"date": "2026-04-14T19:23:30.733725Z",
"number": "1.0.0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-1"
}
}
],
"category": "product_name",
"name": "Azure Logic Apps"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-2"
}
}
],
"category": "product_name",
"name": "Azure Monitor"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-3"
}
}
],
"category": "product_name",
"name": "Azure Monitor Agent"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-4"
}
}
],
"category": "product_name",
"name": "Microsoft HPC Pack 2019"
}
],
"category": "vendor",
"name": "Microsoft"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32168",
"notes": [
{
"category": "description",
"text": "An improper input validation vulnerability in the Azure Monitor Agent enables an authorized attacker to perform local privilege escalation.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-32168 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-32168.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2026-32168"
},
{
"cve": "CVE-2026-32171",
"cwe": {
"id": "CWE-522",
"name": "Insufficiently Protected Credentials"
},
"notes": [
{
"category": "other",
"text": "Insufficiently Protected Credentials",
"title": "CWE-522"
},
{
"category": "description",
"text": "Insufficiently protected credentials in Azure Logic Apps allow an authorized attacker to elevate privileges over a network, posing a significant security risk.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-32171 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-32171.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2026-32171"
},
{
"cve": "CVE-2026-32184",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"notes": [
{
"category": "other",
"text": "Deserialization of Untrusted Data",
"title": "CWE-502"
},
{
"category": "description",
"text": "A deserialization vulnerability in Microsoft High Performance Compute Pack (HPC) enables an authorized local attacker to elevate privileges by processing untrusted data.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-32184 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-32184.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2026-32184"
},
{
"cve": "CVE-2026-32192",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"notes": [
{
"category": "other",
"text": "Deserialization of Untrusted Data",
"title": "CWE-502"
},
{
"category": "description",
"text": "A deserialization vulnerability in Azure Monitor Agent allows an authorized attacker to locally elevate privileges by processing untrusted data.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-32192 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-32192.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4"
]
}
],
"title": "CVE-2026-32192"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…