Cyber Resilience

CVE-2026-21247

High

Published: 10 February 2026

Published
10 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0006 19.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21247 is a high-severity Improper Input Validation (CWE-20) vulnerability in Microsoft Windows 11 23H2. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 19.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-21247 is an improper input validation vulnerability (mapped to CWE-20, CWE-122, and CWE-125) in the Windows Hyper-V hypervisor component of Microsoft Windows operating systems. It enables an authorized local attacker to execute arbitrary code on the host system. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), indicating high impact potential with low attack complexity, local access vector, low privilege requirements, and user interaction needed.

An attacker with local access and low privileges, such as a standard user on the Hyper-V host, can exploit this flaw by providing malformed input that triggers improper validation during Hyper-V operations. Successful exploitation requires the user to interact, such as opening a malicious file or performing a specific action within the Hyper-V environment. This leads to arbitrary code execution in the context of the Hyper-V process, potentially compromising confidentiality, integrity, and availability with high severity on the affected host.

Mitigation details are available in the Microsoft Security Response Center (MSRC) update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21247, which was published on 2026-02-10. Security practitioners should consult this advisory for patching instructions and workarounds.

EU & UK References

Vulnerability details

Improper input validation in Windows Hyper-V allows an authorized attacker to execute code locally.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Local improper input validation in Hyper-V hypervisor directly enables exploitation for privilege escalation (T1068) from low-priv local user to arbitrary code execution on host; user interaction requirement also maps to exploitation for client execution (T1203).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-26156Same product: Microsoft Windows 10 1607
CVE-2026-35421Same product: Microsoft Windows 10 1607
CVE-2025-24050Same product: Microsoft Windows 10 1607
CVE-2026-32149Same product: Microsoft Windows 10 1607
CVE-2026-21244Same product: Microsoft Windows 10 1607
CVE-2025-21411Same product: Microsoft Windows 10 1607
CVE-2025-24048Same product: Microsoft Windows 10 1607
CVE-2026-26170Same product: Microsoft Windows 10 1607
CVE-2026-21236Same product: Microsoft Windows 10 1607
CVE-2026-20809Same product: Microsoft Windows 10 1607

Affected Assets

microsoft
windows 10 1607
≤ 10.0.14393.8868
microsoft
windows 10 1809
≤ 10.0.17763.8389
microsoft
windows 10 21h2
≤ 10.0.19044.6937
microsoft
windows 10 22h2
≤ 10.0.19045.6937
microsoft
windows 11 23h2
≤ 10.0.22631.6649 · ≤ 10.0.22631.6649
microsoft
windows 11 24h2
≤ 10.0.26100.7781 · ≤ 10.0.26100.7781
microsoft
windows 11 25h2
≤ 10.0.26200.7781 · ≤ 10.0.26200.7781
microsoft
windows server 2016
≤ 10.0.14393.8868
microsoft
windows server 2019
≤ 10.0.17763.8389
microsoft
windows server 2022
≤ 10.0.20348.4711
+2 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input to Hyper-V components, blocking the malformed data that triggers the CWE-20 flaw and subsequent code execution.

prevent

Mandates prompt application of the vendor patch that corrects the input-validation defect in the Hyper-V hypervisor before exploitation can occur.

prevent

Enforces least-privilege assignments so that even an authorized local user has minimal rights to reach or abuse the vulnerable Hyper-V code paths.

References