Description
Improper input validation in Windows Hello allows an unauthorized attacker to bypass a security feature over a network.
Published: 2026-04-14
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Security Feature Bypass
Action: Patch
AI Analysis

Impact

Windows Hello contains an input validation flaw that permits an attacker to send malformed data over a network, enabling a bypass of the biometric authentication process. This flaw allows unauthorized users to circumvent the standard Windows Hello security boundary, potentially gaining access without proper credential verification. The weakness aligns with the Input Validation category (CWE‑20).

Affected Systems

The vulnerability affects Microsoft Windows Server products from 2016 through 2025, including the standard and Server Core editions for 2016, 2019, 2022 (23H2), and 2025. Windows Hello on these server editions is the component impacted by the flaw.

Risk and Exploitability

The CVSS score of 8.7 indicates a high impact on confidentiality, integrity, and availability, with a medium-to-high Exploitability rating. The description specifies a network‑based attack vector; an attacker only needs network access to the target to supply the crafted input, and no elevated local privileges are required. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, but given its high severity and network delivery, the risk to exposed services is significant.

Generated by OpenCVE AI on April 14, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the Microsoft update that addresses CVE‑2026‑27928 from the official Security Update Guide.
  • Restart the server to apply the patch changes.
  • Verify the installation by checking the update history or querying installed hotfixes.
  • If the patch cannot be applied immediately, disable Windows Hello on the affected servers or enforce alternate credential methods until the update is installed.
  • Keep monitoring the Microsoft advisory for any additional guidance or further patches.

Generated by OpenCVE AI on April 14, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows Server 2016 (server Core Installation)
Microsoft windows Server 2019 (server Core Installation)
Microsoft windows Server 2022, 23h2 Edition (server Core Installation)
Microsoft windows Server 2025 (server Core Installation)
Vendors & Products Microsoft windows Server 2016 (server Core Installation)
Microsoft windows Server 2019 (server Core Installation)
Microsoft windows Server 2022, 23h2 Edition (server Core Installation)
Microsoft windows Server 2025 (server Core Installation)

Tue, 14 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper input validation in Windows Hello allows an unauthorized attacker to bypass a security feature over a network.
Title Windows Hello Security Feature Bypass Vulnerability
First Time appeared Microsoft
Microsoft windows Server 2016
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
Weaknesses CWE-20
CPEs cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows Server 2016
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows Server 2016 Windows Server 2016 (server Core Installation) Windows Server 2019 Windows Server 2019 (server Core Installation) Windows Server 2022 Windows Server 2022, 23h2 Edition (server Core Installation) Windows Server 2025 Windows Server 2025 (server Core Installation) Windows Server 23h2
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-17T16:13:05.495Z

Reserved: 2026-02-24T21:35:49.688Z

Link: CVE-2026-27928

cve-icon Vulnrichment

Updated: 2026-04-14T19:10:14.586Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T18:17:04.170

Modified: 2026-04-17T15:10:35.607

Link: CVE-2026-27928

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:45:06Z

Weaknesses