Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
Trust boundary violation in Windows Attestation allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Microsoft Windows Attestation allows an authenticated local user with low privileges to gain elevated permissions on the host through a trust boundary violation (CWE-501). The flaw is rated CVSS 7.8 with high impact across confidentiality, integrity, and availability, and there is no public exploit identified at time of analysis. The issue is tagged as Information Disclosure by the reporter, but the CVSS vector indicates full system compromise potential once exploited.
Technical ContextAI
Windows Attestation refers to Microsoft's platform attestation components (such as device health attestation and TPM-backed attestation services) that establish trust between a Windows endpoint and verifying parties about boot state, code integrity, and configuration. The root cause is classified as CWE-501 (Trust Boundary Violation), meaning code on one side of a security boundary improperly trusts data, tokens, or state originating from the other side - in this case, a low-privileged local context appears able to influence or assert state that should only be controlled by a higher-privileged component. Because attestation outputs are consumed by downstream access decisions (Conditional Access, BitLocker network unlock, Credential Guard, etc.), a violation here can let an attacker pivot from local code execution into privileged system contexts.
RemediationAI
Apply the Microsoft security update for CVE-2026-33828 as listed on the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33828; patch status is best described as 'Patch available per vendor advisory' since the provided data does not include a specific KB or fix build. Until the patch is deployed, reduce exposure by limiting which users can run unmanaged code on attestation-relevant endpoints (enforce standard-user accounts, AppLocker or WDAC code-integrity policies, and LAPS for local admin rotation) so the AV:L/PR:L precondition is harder to satisfy; the trade-off is operational friction for power users and developers. Where attestation outputs feed Conditional Access or BitLocker network unlock, monitor for unexpected health-attestation results from individual devices and consider tightening the compliance policy to fail-closed, accepting the side effect that legitimate devices with transient TPM issues may be temporarily blocked.
Same weakness CWE-501 – Trust Boundary Violation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35657
GHSA-vw3f-64x5-vmq4