Description
Acceptance of extraneous untrusted data with trusted data in Windows COM allows an unauthorized attacker to elevate privileges locally.
Published: 2026-04-14
Score: 8.4 High
EPSS: 2.0% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This flaw arises from Windows Component Object Model (COM) when it accepts extraneous untrusted data alongside trusted data. An attacker who can influence the composition of such data may gain higher privileges on the local system. The attack materializes as an unauthorized escalation of privilege, allowing the attacker to execute actions that normally require elevated rights, thereby compromising system confidentiality, integrity, and availability for the affected account.

Affected Systems

The vulnerability affects Microsoft Windows operating systems on a range of releases. Specifically, Windows 10 versions 1809, 21H2, and 22H2; Windows 11 versions 23H2, 24H2, 25H2, 26H1, 22H3; and Windows Server releases 2019, 2022, 2025, and the 23H2 Server Core edition. The issue has been documented for both 32‑bit (x86), 64‑bit (x64), and ARM64 architectures as listed in the affected CPE identifiers.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity, and the EPSS score is 2%, while the vulnerability is not currently listed in CISA’s KEV catalog. The attack vector is local; an adversary must have access to the target machine to supply the malformed COM data. Once executed, the exploit can run with the privileges of the user context that launched the malicious COM object, potentially elevating to system‑level privileges. Given the lack of a remote trigger, the likelihood of exploitation depends on the presence of untrusted code on the system, but within a legitimate local environment the risk remains high.

Generated by OpenCVE AI on June 18, 2026 at 09:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Windows Updates that address CVE-2026-32162 as listed on Microsoft’s security advisory page.
  • If a patch is unavailable, isolate the affected system from untrusted local resources and enforce strict application control policies such as AppLocker or Software Restriction Policies to block execution of malicious COM objects.
  • Configure Windows Defender Exploit Guard and Controlled Folder Access to block execution of untrusted COM objects.

Generated by OpenCVE AI on June 18, 2026 at 09:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows Server 2022 23h2
CPEs cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft windows Server 2022 23h2

Wed, 15 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 22h3
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2019 (server Core Installation)
Microsoft windows Server 2022, 23h2 Edition (server Core Installation)
Microsoft windows Server 2025 (server Core Installation)
Vendors & Products Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 22h3
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2019 (server Core Installation)
Microsoft windows Server 2022, 23h2 Edition (server Core Installation)
Microsoft windows Server 2025 (server Core Installation)

Wed, 15 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 14 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description Acceptance of extraneous untrusted data with trusted data in Windows COM allows an unauthorized attacker to elevate privileges locally.
Title Windows COM Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
Weaknesses CWE-349
CPEs cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_26H1:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}


Subscriptions

Microsoft Windows 10 1809 Windows 10 21h2 Windows 10 21h2 Windows 10 22h2 Windows 10 22h2 Windows 11 22h3 Windows 11 23h2 Windows 11 23h2 Windows 11 24h2 Windows 11 24h2 Windows 11 25h2 Windows 11 25h2 Windows 11 26h1 Windows 11 26h1 Windows Server 2019 Windows Server 2019 (server Core Installation) Windows Server 2022 Windows Server 2022, 23h2 Edition (server Core Installation) Windows Server 2022 23h2 Windows Server 2025 Windows Server 2025 (server Core Installation) Windows Server 23h2
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-19T16:08:43.458Z

Reserved: 2026-03-10T23:09:43.265Z

Link: CVE-2026-32162

cve-icon Vulnrichment

Updated: 2026-04-15T09:07:58.214Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T18:17:18.223

Modified: 2026-06-17T10:35:15.890

Link: CVE-2026-32162

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T09:15:16Z

Weaknesses
  • CWE-349

    Acceptance of Extraneous Untrusted Data With Trusted Data