Skip to main content

Microsoft EUVDEUVD-2026-22373

| CVE-2026-26152 HIGH
Insecure Storage of Sensitive Information (CWE-922)
2026-04-14 microsoft GHSA-8vhf-v9xm-2339
7.0
CVSS 3.1 · NVD
Temporal: 6.1
Share

Severity by source

NVD PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
6.1 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 19:25 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22373
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:57 nvd
HIGH 7.0

DescriptionCVE.org

Insecure storage of sensitive information in Windows Cryptographic Services allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Windows Cryptographic Services affects Windows 10, Windows 11, and Windows Server versions from 2012 through 2025 due to insecure storage of cryptographic material. Authenticated attackers with low privileges can exploit this CWE-922 weakness (insecure storage of sensitive information) to gain high-level access to confidentiality, integrity, and availability. Microsoft has released patches for all affected versions. No public exploit identified at time of analysis,

Technical ContextAI

Windows Cryptographic Services (part of the Windows CryptoAPI infrastructure) provides core cryptographic primitives for certificate validation, encryption, and secure key storage across the Windows platform. This vulnerability stems from CWE-922 (Insecure Storage of Sensitive Information), indicating that cryptographic keys, certificates, or other security-critical data are persisted in a location or manner that allows unauthorized access by low-privileged local users. The affected CPE strings span Windows 10 versions 1607 through 22H2, Windows 11 versions 22H3 through 26H1, and Windows Server platforms from 2012 through 2025 (including Server Core installations). The CVSS vector AV:L indicates exploitation requires local access, while AC:H (high attack complexity) suggests timing dependencies, race conditions, or specific system states are necessary. The PR:L requirement confirms that attackers need authenticated low-privilege access rather than administrative rights initially, making this a classic privilege escalation scenario where insecurely stored cryptographic material becomes the pivot point for elevation.

RemediationAI

Apply Microsoft security updates immediately through Windows Update or enterprise patch management systems. Patched versions: Windows 10 Version 1607 build 10.0.14393.9060 or later, Version 1809 build 10.0.17763.8644 or later, Version 21H2 build 10.0.19044.7184 or later, Version 22H2 build 10.0.19045.7184 or later. Windows 11 Version 22H3/23H2 build 10.0.22631.6936 or later, Version 24H2 build 10.0.26100.32690 or later, Version 25H2 build 10.0.26200.8246 or later, Version 26H1 build 10.0.28000.1836 or later. Windows Server 2012 build 6.2.9200.26026 or later, Server 2012 R2 build 6.3.9600.23132 or later, Server 2016 build 10.0.14393.9060 or later, Server 2019 build 10.0.17763.8644 or later, Server 2022 build 10.0.20348.5020 or later (or 23H2 Edition build 10.0.25398.2274 or later), Server 2

Share

EUVD-2026-22373 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy