This flaw arises from Windows Component Object Model (COM) when it accepts extraneous untrusted data alongside trusted data. An attacker who can influence the composition of such data may gain higher privileges on the local system. The attack materializes as an unauthorized escalation of privilege, allowing the attacker to execute actions that normally require elevated rights, thereby compromising system confidentiality, integrity, and availability for the affected account.

The vulnerability affects Microsoft Windows operating systems on a range of releases. Specifically, Windows 10 versions 1809, 21H2, and 22H2; Windows 11 versions 23H2, 24H2, 25H2, 26H1, 22H3; and Windows Server releases 2019, 2022, 2025, and the 23H2 Server Core edition. The issue has been documented for both 32‑bit (x86), 64‑bit (x64), and ARM64 architectures as listed in the affected CPE identifiers.

The CVSS score of 8.4 indicates high severity, but the EPSS score is not available and the vulnerability is not currently listed in CISA’s KEV catalog. The attack vector is local; an adversary must have access to the target machine to supply the malformed COM data. Once executed, the exploit can run with the privileges of the user context that launched the malicious COM object, potentially elevating to system級权限. Given the lack of a remote trigger, the likelihood of exploitation depends on the presence of untrusted code on the system, but within a legitimate local environment the risk remains high.