Description
Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to execute code over a network.
Published: 2026-02-10
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a command injection flaw that allows an attacker to execute arbitrary code within the environment of GitHub Copilot and Visual Studio. By supplying specially crafted input that is not properly escaped, an unauthorized user can inject system commands into the backend process, leading to execution of unintended code. The flaw corresponds to CWE-77 and CWE-94, potentially compromising confidentiality, integrity, and availability of the affected system.

Affected Systems

Affected products include Microsoft Visual Studio 2022 version 17.14 and Microsoft Visual Studio 2026 version 18.3. These versions are bundled with the GitHub Copilot extension, which is also impacted. No other versions are explicitly enumerated in the advisory.

Risk and Exploitability

The CVSS score of 8.8 classifies the issue as high severity. The EPSS score of less than 1% indicates a low probability of exploitation but does not eliminate risk, especially for highly motivated actors. The vulnerability is not listed in CISA's KEV catalog, but the attack vector is likely network-based, leveraging untrusted input from the Copilot service to execute commands on the local host when the extension is installed.

Generated by OpenCVE AI on April 15, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft Visual Studio patch that addresses CVE-2026-21256.
  • If a patch is not yet available, upgrade to a later release of Visual Studio that contains the fix, such as the next minor version.
  • Until a patch is released, disable the GitHub Copilot extension or restrict its permissions to prevent it from accepting user‑entered code, and review any input processed by the extension to mitigate command injection until the official fix is applied.

Generated by OpenCVE AI on April 15, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft visual Studio 2026
CPEs cpe:2.3:a:microsoft:visual_studio_2026:*:*:*:*:*:*:*:*
Vendors & Products Microsoft visual Studio 2026

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:-:*:*

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to execute code over a network.
Title GitHub Copilot and Visual Studio Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft visual Studio 2022
Weaknesses CWE-77
CWE-94
CPEs cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft visual Studio 2022
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Visual Studio 2022 Visual Studio 2026
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-10T13:21:25.171Z

Reserved: 2025-12-11T21:02:05.737Z

Link: CVE-2026-21256

cve-icon Vulnrichment

Updated: 2026-02-25T15:42:59.944Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:27.330

Modified: 2026-02-11T21:37:01.630

Link: CVE-2026-21256

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:45:10Z

Weaknesses