CVE-2026-33117CRITICAL 9.1EPSS p35.5%

CVE-2026-33117CVE-2026-33117

Description

The Java Key Vault Keys library in the Azure SDK for Java contains an issue in the local cryptographic verification path where authentication tag comparison was implemented incorrectly. In affected applications that use the vulnerable local cryptography path, specially crafted encrypted input may bypass integrity verification checks. Operations delegated to the Key Vault service are not affected. The issue is addressed in version 4.10.6.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.45% probability of exploitation · percentile 35.5% · 2026-06-18T12:00:27Z
Published2026-05-12
Last modified2026-05-22

Underlying weaknesses· 2

CWE-287CWE-347

References

  1. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33117

2

TypeTargetConfidenceTier
WeaknessImproper Authenticationcwe-2870%live
WeaknessImproper Verification of Cryptographic Signaturecwe-3470%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-21228
CVE
CVE-2026-35430
CVE
CVE-2026-21531
CVE
CVE-2026-41103
CVE
CVE-2025-33074
CVE
CVE-2025-3879
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.