CVE-2026-21247
Published: 10 February 2026
Summary
CVE-2026-21247 is a high-severity Improper Input Validation (CWE-20) vulnerability in Microsoft Windows 11 23H2. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 19.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-21247 is an improper input validation vulnerability (mapped to CWE-20, CWE-122, and CWE-125) in the Windows Hyper-V hypervisor component of Microsoft Windows operating systems. It enables an authorized local attacker to execute arbitrary code on the host system. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), indicating high impact potential with low attack complexity, local access vector, low privilege requirements, and user interaction needed.
An attacker with local access and low privileges, such as a standard user on the Hyper-V host, can exploit this flaw by providing malformed input that triggers improper validation during Hyper-V operations. Successful exploitation requires the user to interact, such as opening a malicious file or performing a specific action within the Hyper-V environment. This leads to arbitrary code execution in the context of the Hyper-V process, potentially compromising confidentiality, integrity, and availability with high severity on the affected host.
Mitigation details are available in the Microsoft Security Response Center (MSRC) update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21247, which was published on 2026-02-10. Security practitioners should consult this advisory for patching instructions and workarounds.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7351
Vulnerability details
Improper input validation in Windows Hyper-V allows an authorized attacker to execute code locally.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local improper input validation in Hyper-V hypervisor directly enables exploitation for privilege escalation (T1068) from low-priv local user to arbitrary code execution on host; user interaction requirement also maps to exploitation for client execution (T1203).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all input to Hyper-V components, blocking the malformed data that triggers the CWE-20 flaw and subsequent code execution.
Mandates prompt application of the vendor patch that corrects the input-validation defect in the Hyper-V hypervisor before exploitation can occur.
Enforces least-privilege assignments so that even an authorized local user has minimal rights to reach or abuse the vulnerable Hyper-V code paths.