Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
Improper input validation in Windows Hello allows an authorized attacker to bypass a security feature locally.
AnalysisAI
Windows Hello biometric authentication can be bypassed by high-privileged local attackers through improper input validation, allowing unauthorized access to authentication mechanisms. This affects Windows 10 versions 21H2 and 22H2, and Windows 11 versions 22H3 through 26H1. The vulnerability requires administrative or SYSTEM-level privileges to exploit and does not enable remote exploitation, but represents a significant risk in multi-user or compromised-admin scenarios where biometric security is the primary defense mechanism.
Technical ContextAI
Windows Hello implements biometric and PIN-based authentication through the Windows Hello for Business and Windows Hello Face/Fingerprint frameworks. The vulnerability stems from CWE-20 (Improper Input Validation) in the authentication validation logic, specifically in how Windows Hello processes and verifies biometric or credential input. When an authorized user with high privileges (PR:H per CVSS vector) submits crafted input that bypasses the validation checks, the authentication mechanism fails to properly reject or sanitize the malicious data, allowing the attacker to proceed past security gates that should enforce biometric verification. This affects the core Windows authentication subsystem across multiple major OS versions and build numbers as identified in the CPE strings.
RemediationAI
Apply the vendor-released patch from Microsoft Security Response Center (MSRC) at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27906. For Windows 10 21H2, update to build 10.0.19044.7184 or later; for Windows 10 22H2, update to build 10.0.19045.7184 or later; for Windows 11 22H3 and 23H2, update to build 10.0.22631.6936 or later; for Windows 11 24H2, update to build 10.0.26100.32690 or later; for Windows 11 25H2, update to build 10.0.26200.8246 or later; and for Windows 11 26H1, update to build 10.0.28000.1836 or later. No workarounds are documented; patching is the only remediation. Prioritize systems where biometric authentication is enforced as the primary MFA mechanism.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22444
GHSA-qqjc-23pp-wrrm