Summary
XBOW reports that it was credited in Microsoft’s March 2026 Patch Tuesday release for CVE-2026-21536, a critical remote-code-execution vulnerability in the Microsoft Devices Pricing Program.
NVD lists the issue as an exclusively hosted service vulnerability with a Microsoft-provided CVSS v3.1 score of 9.8 critical and the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Attribution confidence
The AI-attribution source is XBOW’s own disclosure. The CVE record corroborates the product, class, score, and Microsoft source, but the public NVD page does not itself describe XBOW’s autonomous workflow. We therefore mark the entry as self-reported rather than direct.
That distinction matters. The point of Bugflation is to sharpen the public record, not to turn vendor marketing into data without a label.
Why it matters
Even with the attribution caveat, the entry is important because it moves the public AI-discovery record from open-source code review into large, hosted enterprise software where source code access is not available to external researchers.
References
Catalogued in the Bugflation public ledger. Disagree with the attribution or severity label? Email the desk.