CVE-2026-21251

High

Published: 10 February 2026

Published

10 February 2026

Modified

11 February 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 11.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21251 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows Server 2016. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 11.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the use-after-free flaw in Windows Cluster Client Failover to eliminate the privilege escalation vulnerability.

SI-16 Memory Protection good match

prevent

Implements memory safeguards such as DEP and ASLR to protect against unauthorized code execution from use-after-free exploits.

AC-6 Least Privilege partial match

prevent

Limits the privileges of local low-privilege accounts and processes to reduce the attack surface and impact of escalation attempts.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Use-after-free in local Windows component directly enables local privilege escalation via exploitation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Use after free in Windows Cluster Client Failover allows an authorized attacker to elevate privileges locally.

Deeper analysisAI

CVE-2026-21251 is a use-after-free vulnerability (CWE-416) in the Windows Cluster Client Failover component. Published on 2026-02-10, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows privilege escalation on the affected Windows system, potentially granting the attacker higher-level access.

For mitigation details, refer to the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21251.

Details

CWE(s): CWE-416

Affected Products

microsoft

windows server 2016

≤ 10.0.14393.8868

microsoft

windows server 2019

≤ 10.0.17763.8389

microsoft

windows server 2022

≤ 10.0.20348.4711

microsoft

windows server 2022 23h2

≤ 10.0.25398.2149

microsoft

windows server 2025

≤ 10.0.26100.32313

CVEs Like This One

CVE-2025-25008Same product: Microsoft Windows Server 2016

CVE-2026-20822Same product: Microsoft Windows Server 2016

CVE-2025-24046Same product: Microsoft Windows Server 2016

CVE-2026-33098Same product: Microsoft Windows Server 2016

CVE-2025-21367Same product: Microsoft Windows Server 2019

CVE-2026-20923Same product: Microsoft Windows Server 2019

CVE-2025-62221Same product: Microsoft Windows Server 2019

CVE-2026-20865Same product: Microsoft Windows Server 2019

CVE-2026-27915Same product: Microsoft Windows Server 2016

CVE-2026-32156Same product: Microsoft Windows Server 2016

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21251
Vendor Advisory · secure@microsoft.com