Cyber Resilience

CVE-2026-21240

High

Published: 10 February 2026

Published
10 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 8.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21240 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-25 (Reference Monitor).

Deeper analysis

CVE-2026-21240 is a Time-of-check time-of-use (TOCTOU) race condition vulnerability, classified under CWE-367, affecting the Windows HTTP.sys kernel-mode driver. Published on 2026-02-10, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). This flaw exists in the HTTP.sys component, which handles HTTP requests in Windows operating systems.

A local attacker with low privileges (PR:L) can exploit this race condition due to its low attack complexity (AC:L) and lack of required user interaction (UI:N). Successful exploitation enables privilege escalation, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H).

Microsoft's Security Response Center provides an update guide detailing mitigations and patches for CVE-2026-21240 at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21240.

EU & UK References

Vulnerability details

Time-of-check time-of-use (toctou) race condition in Windows HTTP.sys allows an authorized attacker to elevate privileges locally.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

TOCTOU race condition in kernel driver directly enables local privilege escalation exploit (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-20831Same product: Microsoft Windows 10 1809
CVE-2026-20816Same product: Microsoft Windows 10 1809
CVE-2026-35418Same product: Microsoft Windows 10 1809
CVE-2026-20809Same product: Microsoft Windows 10 1809
CVE-2026-20923Same product: Microsoft Windows 10 1809
CVE-2025-62215Same product: Microsoft Windows 10 1809
CVE-2026-20857Same product: Microsoft Windows 10 1809
CVE-2025-62221Same product: Microsoft Windows 10 1809
CVE-2026-20858Same product: Microsoft Windows 10 1809
CVE-2026-20924Same product: Microsoft Windows 10 1809

Affected Assets

microsoft
windows 10 1809
≤ 10.0.17763.8389 · ≤ 10.0.17763.8389
microsoft
windows 10 21h2
≤ 10.0.19044.6937 · ≤ 10.0.19044.6937 · ≤ 10.0.19044.6937
microsoft
windows 10 22h2
≤ 10.0.19045.6937 · ≤ 10.0.19045.6937 · ≤ 10.0.19045.6937
microsoft
windows 11 23h2
≤ 10.0.22631.6649 · ≤ 10.0.22631.6649
microsoft
windows 11 24h2
≤ 10.0.26100.7781 · ≤ 10.0.26100.7781
microsoft
windows 11 25h2
≤ 10.0.26200.7781 · ≤ 10.0.26200.7781
microsoft
windows server 2019
≤ 10.0.17763.8389
microsoft
windows server 2022
≤ 10.0.20348.4711
microsoft
windows server 2022 23h2
≤ 10.0.25398.2149
microsoft
windows server 2025
≤ 10.0.26100.32313

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the TOCTOU race condition in Windows HTTP.sys by requiring timely identification, testing, and installation of vendor patches.

prevent

Implements a tamper-resistant reference monitor to mediate access to system resources, countering race conditions in kernel-mode access enforcement like HTTP.sys.

prevent

Limits damage from privilege escalation by enforcing least privilege for local users and processes interacting with vulnerable kernel components.

References