Severity by source
AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Double free in Windows Rich Text Edit allows an authorized attacker to elevate privileges locally.
AnalysisAI
Double free vulnerability in Windows Rich Text Edit component allows local authenticated attackers to escalate privileges on Windows 10 and Windows 11 systems through a specially crafted interaction. The flaw requires local access with standard user privileges and user interaction, but enables full system compromise including code execution and privilege elevation. Microsoft has released a vendor patch to address this issue.
Technical ContextAI
The vulnerability exists in the Windows Rich Text Edit (RichEdit) component, a legacy but widely-used text rendering library used by numerous Windows applications. CWE-415 identifies a double free memory corruption flaw, where the same memory region is freed twice during object cleanup or deallocation routines. This memory safety issue occurs in the RichEdit control's text processing logic, likely triggered when a specially crafted Rich Text Format (RTF) document or embedded object is parsed and processed. The double free can corrupt heap metadata and enable arbitrary code execution within the context of the application using RichEdit, and when combined with privilege escalation techniques, can compromise the entire system.
RemediationAI
Vendor-released patch available from Microsoft Security Response Center (MSRC) at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21530. Apply the latest Windows security updates through Windows Update or WSUS, which will patch the RichEdit component across all affected Windows 10 and Windows 11 versions. As an interim compensating control if patching cannot be immediately deployed, restrict end-user access to untrusted or externally-sourced Rich Text Format files, particularly through email or web downloads, since exploitation requires opening a malicious RTF document. Users should avoid opening RTF attachments from untrusted sources and disable RTF preview in email clients where supported. Disable RichEdit functionality in applications where it is not essential, though this may break legitimate document-handling workflows and is appropriate only in restricted environments.
Same weakness CWE-415 – Double Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29547
GHSA-xp4f-mw6j-jxm8