🟡 Medium  | Source: Microsoft Security Response Center
CVE-2026-42766 is a potential NULL dereference vulnerability affecting password-based CMS (Cryptographic Message Syntax) decryption, disclosed via Microsoft’s Security Response Centre. A NULL dereference flaw can cause an application or service to crash when processing malformed or malicious encrypted data, potentially leading to denial of service. This matters because CMS is widely used in certificate handling, S/MIME email, and PKI workflows, meaning affected services could be disrupted by a crafted payload.
Security Architect’s Take: Review whether any Azure services or workloads in your environment rely on password-based CMS decryption, and apply Microsoft’s patch or mitigations promptly — prioritise internet-facing or shared services where an attacker could supply crafted encrypted input to trigger a crash.
Original advisory: CVE-2026-42766 Possible NULL Dereference in Password-Based CMS Decryption