Description
Untrusted pointer dereference in Windows HTTP.sys allows an authorized attacker to elevate privileges locally.
Published: 2026-02-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

CVE‑2026‑21250 exploits an untrusted pointer dereference in Windows HTTP.sys, enabling a logged‑in user to gain higher privileges locally. By manipulating the kernel request handling, an attacker can elevate a regular user account to SYSTEM, allowing unrestricted modification of system files, registry, and installation of software. The flaw maps to CWE‑822: Unvalidated Object Handle or Resource Handle Manipulation.

Affected Systems

Affected systems include Microsoft Windows 11 build 24H2, 25H2, and 26H1, and Microsoft Windows Server 2022 23H2 Core, Windows Server 2025 and its Server Core edition. The vulnerability is present in both x86‑64 and ARM64 builds where HTTP.sys is active.

Risk and Exploitability

The CVSS v3 score of 7.8 indicates high severity, however the EPSS score of less than 1% shows the exploit probability is currently low. The vulnerability requires a local, authenticated attacker; remote attackers cannot trigger the flaw directly. Because it is not listed in the CISA KEV catalog, there is no known widespread exploitation yet, but the high impact warrants timely remediation.

Generated by OpenCVE AI on April 15, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Microsoft's security update for CVE‑2026‑21250 as available through Windows Update or the Microsoft Security Response Center.
  • Restrict HTTP.sys exposure by configuring firewall rules or disabling unused HTTP services to reduce the attack surface.
  • Enable and review audit logging for HTTP.sys requests and monitor for anomalous activity to detect potential exploitation attempts while planning for a patch.

Generated by OpenCVE AI on April 15, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows 11 26h1
Microsoft windows Server 2022, 23h2 Edition (server Core Installation)
Microsoft windows Server 2025 (server Core Installation)
Vendors & Products Microsoft windows 11 26h1
Microsoft windows Server 2022, 23h2 Edition (server Core Installation)
Microsoft windows Server 2025 (server Core Installation)

Wed, 11 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2022 23h2
CPEs cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2022 23h2

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Untrusted pointer dereference in Windows HTTP.sys allows an authorized attacker to elevate privileges locally.
Title Windows HTTP.sys Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2025
Microsoft windows Server 23h2
Weaknesses CWE-822
CPEs cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_26H1:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_26H1:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2025
Microsoft windows Server 23h2
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows 11 24h2 Windows 11 24h2 Windows 11 25h2 Windows 11 25h2 Windows 11 26h1 Windows 11 26h1 Windows Server 2022, 23h2 Edition (server Core Installation) Windows Server 2022 23h2 Windows Server 2025 Windows Server 2025 (server Core Installation) Windows Server 23h2
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-10T13:21:27.455Z

Reserved: 2025-12-11T21:02:05.736Z

Link: CVE-2026-21250

cve-icon Vulnrichment

Updated: 2026-02-25T15:42:52.160Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:26.670

Modified: 2026-02-11T19:49:34.573

Link: CVE-2026-21250

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:45:10Z

Weaknesses