Description
Use after free in Windows Subsystem for Linux allows an authorized attacker to elevate privileges locally.
Published: 2026-02-10
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Local privilege escalation via use‑after‑free in Windows Subsystem for Linux
Action: Patch
AI Analysis

Impact

A use‑after‑free flaw in Windows Subsystem for Linux allows an attacker who already has local access to a user account to gain higher privileges on the host operating system. The vulnerability is a classic memory corruption issue (CWE‑416) that can be abused to execute arbitrary code as a privileged user after the memory has been freed.

Affected Systems

Microsoft Windows 10 versions 21H2 and 22H2, Windows 11 versions 22H3, 23H2, 24H2, 25H2, 26H1, and Windows Server 2022, Server 2025 and the 2025 Server Core installation, as well as the 2022 Server Core release. All listed builds are affected; the list does not include non‑Microsoft products.

Risk and Exploitability

The CVSS score of 7 indicates a medium‑to‑high impact. The EPSS score is below 1%, suggesting exploitation is currently unlikely. The vulnerability is not present in the CISA KEV catalog. The attack requires local authorized access and cannot be leveraged remotely. Once exploited, the attacker can acquire full control of the Windows host, enabling further malicious activity.

Generated by OpenCVE AI on April 15, 2026 at 16:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Windows cumulative updates that include the fix for CVE‑2026‑21242.
  • If Windows Subsystem for Linux is not required, disable the feature via Windows Features or Group Policy to reduce the attack surface.
  • Limit local administrator privileges and enforce least‑privilege for users that log on to the affected systems.

Generated by OpenCVE AI on April 15, 2026 at 16:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows 11 22h3
Microsoft windows 11 26h1
Microsoft windows Server 2022, 23h2 Edition (server Core Installation)
Microsoft windows Server 2025 (server Core Installation)
Vendors & Products Microsoft windows 11 22h3
Microsoft windows 11 26h1
Microsoft windows Server 2022, 23h2 Edition (server Core Installation)
Microsoft windows Server 2025 (server Core Installation)

Wed, 11 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2022 23h2
CPEs cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2022 23h2

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Use after free in Windows Subsystem for Linux allows an authorized attacker to elevate privileges locally.
Title Windows Subsystem for Linux Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
Weaknesses CWE-416
CPEs cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_26H1:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_26H1:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows 10 21h2 Windows 10 21h2 Windows 10 22h2 Windows 10 22h2 Windows 11 22h3 Windows 11 23h2 Windows 11 23h2 Windows 11 24h2 Windows 11 24h2 Windows 11 25h2 Windows 11 25h2 Windows 11 26h1 Windows 11 26h1 Windows Server 2022 Windows Server 2022, 23h2 Edition (server Core Installation) Windows Server 2022 23h2 Windows Server 2025 Windows Server 2025 (server Core Installation) Windows Server 23h2
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-10T13:21:08.449Z

Reserved: 2025-12-11T21:02:05.735Z

Link: CVE-2026-21242

cve-icon Vulnrichment

Updated: 2026-02-25T15:43:31.567Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:25.323

Modified: 2026-02-11T20:56:41.543

Link: CVE-2026-21242

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:45:10Z

Weaknesses