Skip to main content

Microsoft EUVDEUVD-2026-22551

| CVE-2026-32162 HIGH
Acceptance of Extraneous Untrusted Data With Trusted Data (CWE-349)
2026-04-14 microsoft GHSA-8h4w-q329-j73w
8.4
CVSS 3.1 · NVD
Temporal: 7.3
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
7.3 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 19:33 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22551
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:58 nvd
HIGH 8.4

DescriptionCVE.org

Acceptance of extraneous untrusted data with trusted data in Windows COM allows an unauthorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Windows COM across Windows 10 (1809, 21H2, 22H2), Windows 11 (22H3-26H1), and Windows Server (2019-2025) allows unauthenticated attackers with local access to achieve full system compromise (high confidentiality, integrity, and availability impact) by exploiting acceptance of untrusted data alongside trusted data. CVSS 8.4 reflects the severe impact of complete privilege escalation despite requiring local access. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious COM object
Exploit
Register untrusted data with trusted COM interface
Execution
Trigger privilege escalation in Windows COM subsystem
Impact
Execute arbitrary code as SYSTEM

Vulnerability AssessmentAI

Exploitation Local system access required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector reveals critical characteristics: local attack vector (AV:L) limits exploitation to attackers with physical or RDP access, but low complexity (AC:L) and no privilege requirements (PR:N) mean any unprivileged local user can exploit this. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unprivileged local user crafts a malicious COM object embedding untrusted data alongside trusted parameters. When the COM subsystem processes this hybrid object, it fails to properly validate data boundaries, allowing code execution with SYSTEM privileges.
Remediation Apply Microsoft-issued security updates immediately via Windows Update or WSUS to remediate this vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Windows 10 (versions 1809, 21H2, 22H2), Windows 11 (22H3-26H1), and Windows Server 2019-2025 systems in your estate and assess exposure to local users. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-22551 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy