Skip to main content

Microsoft EUVDEUVD-2026-22444

| CVE-2026-27906 MEDIUM
Improper Input Validation (CWE-20)
2026-04-14 microsoft GHSA-qqjc-23pp-wrrm
4.4
CVSS 3.1 · NVD
Temporal: 3.9
Share

Severity by source

NVD PRIMARY
4.4 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CIRCL (temporal)
3.9 LOW
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 14, 2026 - 19:40 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22444
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:57 nvd
MEDIUM 4.4

DescriptionCVE.org

Improper input validation in Windows Hello allows an authorized attacker to bypass a security feature locally.

AnalysisAI

Windows Hello biometric authentication can be bypassed by high-privileged local attackers through improper input validation, allowing unauthorized access to authentication mechanisms. This affects Windows 10 versions 21H2 and 22H2, and Windows 11 versions 22H3 through 26H1. The vulnerability requires administrative or SYSTEM-level privileges to exploit and does not enable remote exploitation, but represents a significant risk in multi-user or compromised-admin scenarios where biometric security is the primary defense mechanism.

Technical ContextAI

Windows Hello implements biometric and PIN-based authentication through the Windows Hello for Business and Windows Hello Face/Fingerprint frameworks. The vulnerability stems from CWE-20 (Improper Input Validation) in the authentication validation logic, specifically in how Windows Hello processes and verifies biometric or credential input. When an authorized user with high privileges (PR:H per CVSS vector) submits crafted input that bypasses the validation checks, the authentication mechanism fails to properly reject or sanitize the malicious data, allowing the attacker to proceed past security gates that should enforce biometric verification. This affects the core Windows authentication subsystem across multiple major OS versions and build numbers as identified in the CPE strings.

RemediationAI

Apply the vendor-released patch from Microsoft Security Response Center (MSRC) at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27906. For Windows 10 21H2, update to build 10.0.19044.7184 or later; for Windows 10 22H2, update to build 10.0.19045.7184 or later; for Windows 11 22H3 and 23H2, update to build 10.0.22631.6936 or later; for Windows 11 24H2, update to build 10.0.26100.32690 or later; for Windows 11 25H2, update to build 10.0.26200.8246 or later; and for Windows 11 26H1, update to build 10.0.28000.1836 or later. No workarounds are documented; patching is the only remediation. Prioritize systems where biometric authentication is enforced as the primary MFA mechanism.

Share

EUVD-2026-22444 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy