Skip to main content

Microsoft CVE-2026-0390

| EUVDEUVD-2026-22350 MEDIUM
Reliance on Untrusted Inputs in a Security Decision (CWE-807)
2026-04-14 microsoft GHSA-crrm-44jr-89j8
6.7
CVSS 3.1 · NVD
Temporal: 5.8
Share

Severity by source

NVD PRIMARY
6.7 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
5.8 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 14, 2026 - 19:41 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22350
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:57 nvd
MEDIUM 6.7

DescriptionCVE.org

Reliance on untrusted inputs in a security decision in Windows Boot Loader allows an authorized attacker to bypass a security feature locally.

AnalysisAI

Windows Boot Loader accepts untrusted inputs for security decisions, allowing authorized local attackers to bypass security features with high confidentiality, integrity, and availability impact. This authentication bypass vulnerability (CVSS 6.7) affects Windows 10 versions 1607, 1809, 21H2, and 22H2, as well as Windows Server 2016, 2019, and 2022. Microsoft has released patches addressing the root cause of reliance on untrusted security-critical inputs.

Technical ContextAI

The Windows Boot Loader is a low-level firmware/boot-stage component responsible for initiating the operating system and enforcing early-stage security policies. The vulnerability stems from CWE-807 (Reliance on Untrusted Inputs in a Security Decision), a design flaw where the boot loader fails to validate or trust critical security decision inputs before enforcement. This allows an authorized local user with high privileges (PR:H in CVSS) to influence boot-time security mechanisms by providing crafted or malicious input that the loader incorrectly accepts as legitimate. The boot stage executes with maximum system privileges before normal OS protections are active, making this attack surface particularly sensitive. The local attack vector and high-privilege requirement suggest the attacker already has administrative or system-level access, but the vulnerability permits them to circumvent additional security boundaries (such as Secure Boot or other firmware-level protections) that would normally restrict their capabilities.

RemediationAI

Vendor-released patch is available. Apply the following cumulative updates or later: Windows 10 Version 1607 build 14393.9060 or later, Windows 10 Version 1809 build 17763.8644 or later, Windows 10 Version 21H2 build 19044.7184 or later, Windows 10 Version 22H2 build 19045.7184 or later, Windows Server 2016 build 14393.9060 or later, Windows Server 2019 build 17763.8644 or later, and Windows Server 2022 build 20348.5020 or later. Since this vulnerability affects the boot loader, systems may require a restart to fully apply the patch and ensure the remediation takes effect. Organizations should prioritize patching systems where high-privileged administrative accounts are shared or where insider threat risk is elevated. Full guidance and patch downloads are available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-0390.

Share

CVE-2026-0390 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy