Description
Heap-based buffer overflow in Windows Mobile Broadband allows an unauthorized attacker to execute code with a physical attack.
Published: 2026-03-10
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Code Execution (requires physical access)
Action: Apply Patch
AI Analysis

Impact

A heap-based buffer overflow in the Windows Mobile Broadband driver enables an unauthorized attacker with physical access to execute arbitrary code on the target system. The flaw allows the attacker to inject and run code, potentially escalating privileges and compromising confidentiality, integrity, and availability of the affected device. The vulnerability is a classic example of CWE‑122, where improper bounds checking leads to uncontrolled memory writes.

Affected Systems

Microsoft Windows 10 Version 21H2 and Version 22H2 are affected, including all supported CPU architectures listed in the Common Platform Enumeration strings: x86, x64, and arm64. Users of these Windows 10 releases should verify whether their devices are running the vulnerable mobile broadband driver.

Risk and Exploitability

The CVSS score of 6.8 indicates a moderate to high severity, but the EPSS score of less than 1% means the probability of exploitation is low. The vulnerability is not listed in CISA’s KEV catalog, suggesting no documented public exploit at this time. The attack requires physical presence, limiting the practical risk to environments where an adversary can gain physical access. Nonetheless, the ability to execute arbitrary code presents a serious threat if the device is compromised.

Generated by OpenCVE AI on March 16, 2026 at 23:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the security update from Microsoft (see https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24288).
  • If the patch is not yet available, monitor the update schedule and apply as soon as a fix is released.

Generated by OpenCVE AI on March 16, 2026 at 23:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x86:*

Thu, 12 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows 10 21h2
Microsoft windows 10 22h2
Vendors & Products Microsoft windows 10 21h2
Microsoft windows 10 22h2

Tue, 10 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Heap-based buffer overflow in Windows Mobile Broadband allows an unauthorized attacker to execute code with a physical attack.
Title Windows Mobile Broadband Driver Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Weaknesses CWE-122
CPEs cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x64:*
Vendors & Products Microsoft
Microsoft windows 10 21h2
Microsoft windows 10 22h2
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows 10 21h2 Windows 10 21h2 Windows 10 22h2 Windows 10 22h2
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-03-27T22:32:30.344Z

Reserved: 2026-01-21T21:28:02.968Z

Link: CVE-2026-24288

cve-icon Vulnrichment

Updated: 2026-03-12T14:26:36.940Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:18.943

Modified: 2026-03-13T19:16:25.093

Link: CVE-2026-24288

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:34:56Z

Weaknesses