Description
Improper link resolution before file access ('link following') in Windows App for Mac allows an authorized attacker to elevate privileges locally.
Published: 2026-02-10
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Apply patch
AI Analysis

Impact

An improper link resolution step in Windows App for Mac, also known as link following, enables an attacker who already has local access to the system to elevate their privileges. The flaw falls under CWE-59, where a pathname is not properly restricted before being dereferenced. The resulting privilege escalation can allow the attacker to gain higher rights on the host, potentially affecting the confidentiality, integrity, and availability of local data and services.

Affected Systems

The vulnerability impacts Microsoft Windows App for Mac running on macOS. No specific affected versions are listed, so all installations of the product may be at risk until a vendor change is issued.

Risk and Exploitability

The CVSS score of 4.7 denotes moderate severity, and the EPSS value of less than 1% indicates a very low probability of exploitation under current conditions. The flaw is not catalogued in CISA’s KEV list. Based on the description, the attack requires the attacker to already have authorized local access; no remote or network-based entry vector is disclosed. The lack of a known workaround or public exploit suggests that risk is largely mitigated by ensuring that the app is updated to a version where the link resolution is correctly handled.

Generated by OpenCVE AI on April 15, 2026 at 18:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Microsoft’s update center or the Windows App for Mac website for the latest patch or release that addresses the improper link resolution flaw.
  • If a vendor update is not immediately available, restrict local user accounts that have write access to the app’s installation directory or use OS-level file permissions to limit potential path traversal.
  • Consider disabling or removing the Windows App for Mac until a patched version is deployed to eliminate the elevation vector.

Generated by OpenCVE AI on April 15, 2026 at 18:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows App
CPEs cpe:2.3:a:microsoft:windows_app:*:*:*:*:*:macos:*:*
Vendors & Products Microsoft windows App

Wed, 11 Feb 2026 01:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

 cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C'}

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Improper link resolution before file access ('link following') in Windows App for Mac allows an authorized attacker to elevate privileges locally.
Title Windows App for Mac Installer Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft windows App For Mac
Weaknesses CWE-59
CPEs cpe:2.3:a:microsoft:windows_app_for_mac:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows App For Mac
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows App Windows App For Mac
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-10T13:21:01.782Z

Reserved: 2025-12-30T18:10:54.845Z

Link: CVE-2026-21517

cve-icon Vulnrichment

Updated: 2026-02-25T15:43:45.440Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:34.110

Modified: 2026-02-25T14:20:17.450

Link: CVE-2026-21517

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:45:11Z

Weaknesses