CVE-2026-9076 is an out-of-bounds read vulnerability in CMS (Cryptographic Message Syntax) password-based decryption, disclosed via Microsoft’s Security Response Center. This type of flaw can allow an attacker to read memory beyond its intended boundary during decryption operations, potentially leaking sensitive data such as cryptographic keys or plaintext content. Depending on where this component is used in Azure services or client tooling, the exposure could be significant for workloads relying on CMS-based encryption.

Security Architect’s Take: Identify any Azure services, SDKs, or on-premises integrations in your environment that perform CMS password-based decryption and prioritise patching once Microsoft releases an update. In the meantime, consider restricting access to decryption endpoints and reviewing audit logs for anomalous decryption activity.

Original advisory: CVE-2026-9076 Out-of-Bounds Read in CMS Password-Based Decryption