Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Acceptance of extraneous untrusted data with trusted data in Windows COM allows an unauthorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Windows COM across Windows 10 (1809, 21H2, 22H2), Windows 11 (22H3-26H1), and Windows Server (2019-2025) allows unauthenticated attackers with local access to achieve full system compromise (high confidentiality, integrity, and availability impact) by exploiting acceptance of untrusted data alongside trusted data. CVSS 8.4 reflects the severe impact of complete privilege escalation despite requiring local access. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Local system access required. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector reveals critical characteristics: local attack vector (AV:L) limits exploitation to attackers with physical or RDP access, but low complexity (AC:L) and no privilege requirements (PR:N) mean any unprivileged local user can exploit this. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unprivileged local user crafts a malicious COM object embedding untrusted data alongside trusted parameters. When the COM subsystem processes this hybrid object, it fails to properly validate data boundaries, allowing code execution with SYSTEM privileges. |
| Remediation | Apply Microsoft-issued security updates immediately via Windows Update or WSUS to remediate this vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Windows 10 (versions 1809, 21H2, 22H2), Windows 11 (22H3-26H1), and Windows Server 2019-2025 systems in your estate and assess exposure to local users. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22551
GHSA-8h4w-q329-j73w