CVE-2026-21223

EPSS 0.05%
Veröffentlicht 16.01.2026 21:28:30
Zuletzt bearbeitet 03.02.2026 18:42:56
Quelle secure@microsoft.com
CVE-Watchlists
Login
Unerledigt
Login

Microsoft Edge Elevation Service exposes a privileged COM interface that inadequately validates the privileges of the calling process. A standard (non‑administrator) local user can invoke the IElevatorEdge interface method LaunchUpdateCmdElevatedAndWait, causing the service to execute privileged update commands as LocalSystem.
This allows a non‑administrator to enable or disable Windows Virtualization‑Based Security (VBS) by modifying protected system registry keys under HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard. Disabling VBS weakens critical platform protections such as Credential Guard, Hypervisor‑protected Code Integrity (HVCI), and the Secure Kernel, resulting in a security feature bypass.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Microsoft ≫ Edge Chromium Version < 144.0.3719.82

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.154

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	5.1	2.5	2.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21223

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-21223

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-21223

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-21223

EUVD