Windows denial‑of‑service flaws disclosed

A denial of service bug is the software version of jamming a doorway: the system is still there, but real users cannot get through. Microsoft just published two Windows flaws in that category, and the split between them is the whole story. (msrc.microsoft.com 1) (msrc.microsoft.com 2) One of them, CVE-2026-33554, is rated Critical by Microsoft and is described as a denial-of-service issue with an availability impact. In Microsoft’s severity system, “availability” means the attacker can knock out processing resources or service access, not steal files or change data. (msrc.microsoft.com) (microsoft.com) The other one, CVE-2026-21714, is a resource exhaustion bug, which is what happens when a machine burns through memory, processor time, or handles until normal work slows down or stalls. Microsoft lists that flaw separately because it degrades service rather than causing the cleaner, harder stop implied by a full denial of service. (msrc.microsoft.com) (microsoft.com) That difference sounds technical, but it changes what an outage looks like. CVE-2026-33554 is the kind of flaw that can turn a working service into a dead one, while CVE-2026-21714 is the kind that can leave the service up but gasping, with queues growing and response times stretching. (msrc.microsoft.com 1) (msrc.microsoft.com 2) Microsoft’s own guidance system is built around patching first. The company says the Security Update Guide is the authoritative source for update information, and its severity framework says customers should apply Critical updates immediately and Important updates at the earliest opportunity. (microsoft.com 1) (microsoft.com 2) But patching is only half the job with availability bugs, because an overloaded service can fail before a security team finishes a rollout. That is why these flaws land in the same planning bucket as load spikes, bad traffic bursts, and infrastructure incidents: you need updates, but you also need spare capacity and a way to keep essential services running when one box starts choking. (microsoft.com) (microsoft.com) For Windows administrators, the practical checklist is plain: identify affected systems in the Security Update Guide, push the fixes through your normal Windows update tools, and watch the services that would hurt most if they slowed or stopped. Microsoft’s security bulletins documentation points administrators to update deployment systems such as Windows Server Update Services and Configuration Manager for that rollout work. (microsoft.com) (learn.microsoft.com) The reason this pair stands out is that neither bug is about a hacker reading secrets off a machine. They are about whether the machine is still useful at all when someone starts pushing on the weak spot, and for a hospital workstation, a factory terminal, or a domain controller, “still useful” is the line that counts. (msrc.microsoft.com) (msrc.microsoft.com)