Skip to main content

Microsoft EUVDEUVD-2026-22388

| CVE-2026-26162 HIGH
Access of Resource Using Incompatible Type (Type Confusion) (CWE-843)
2026-04-14 microsoft
7.8
CVSS 3.1 · NVD
Temporal: 6.8
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
6.8 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 19:13 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22388
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:57 nvd
HIGH 7.8

DescriptionCVE.org

Access of resource using incompatible type ('type confusion') in Windows OLE allows an authorized attacker to elevate privileges locally.

AnalysisAI

Type confusion in Windows OLE (Object Linking and Embedding) enables authenticated local attackers to escalate privileges across all supported Windows 10, 11, and Server versions (2012-2025). The memory corruption flaw allows low-privileged users to execute code with elevated permissions through incompatible type handling. Vendor-released patches are available for all affected versions. No public exploit identified at time of analysis, though the low attack complexity (AC:L) and lack of user interaction (UI:N) make this accessible to attackers with basic local access.

Technical ContextAI

The vulnerability resides in Windows OLE (Object Linking and Embedding), Microsoft's legacy technology for embedding and linking documents and objects across applications. The flaw is classified as CWE-843 (Access of Resource Using Incompatible Type), commonly known as type confusion. This occurs when code accesses memory or objects using a pointer or reference of an incorrect type, potentially causing the system to misinterpret data structures. In OLE's case, the Component Object Model (COM) infrastructure likely fails to properly validate type casts during object instantiation or method invocation, allowing an attacker to manipulate object vtables or memory layouts. The affected CPE strings indicate this is a Windows core component vulnerability impacting all modern Windows versions from legacy Server 2012 through the newest Windows 11 26H1 and Server 2025 builds, suggesting the vulnerable code exists in foundational OLE32.dll or related system libraries shared across the entire Windows ecosystem.

RemediationAI

Apply Microsoft's security updates immediately through Windows Update or WSUS to patch the vulnerable OLE components. Required minimum patched versions by platform: Windows 10 1607/Server 2016 build 10.0.14393.9060, Windows 10 1809/Server 2019 build 10.0.17763.8644, Windows 10 21H2 build 10.0.19044.7184, Windows 10 22H2 build 10.0.19045.7184, Windows 11 22H3/23H2 build 10.0.22631.6936, Windows 11 24H2/Server 2025 build 10.0.26100.32690, Windows 11 25H2 build 10.0.26200.8246, Windows 11 26H1 build 10.0.28000.1836, Server 2012 build 6.2.9200.26026, Server 2012 R2 build 6.3.9600.23132, Server 2022 build 10.0.20348.5020, and Server 2022 23H2 build 10.0.25398.2274. No workarounds are available; patching is the only effective mitigation. Consult the Microsoft Security Response Center update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26162 for deployment guidance and verify patch installation through system build numbers in winver.exe.

Share

EUVD-2026-22388 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy