CVE-2026-21425
Published: 04 March 2026
Summary
CVE-2026-21425 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Dell Powerscale Onefs. Its CVSS base score is 6.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-21425 is an incorrect privilege assignment vulnerability (CWE-266) affecting Dell PowerScale OneFS. The issue impacts versions prior to 9.10.1.6 and versions 9.11.0.0 through 9.12.0.1. Published on 2026-03-04, it carries a CVSS v3.1 base score of 6.7 (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H), rated as medium severity.
A low-privileged attacker with local access can exploit this vulnerability to achieve elevation of privileges. Successful exploitation requires high attack complexity and user interaction, potentially granting high confidentiality, integrity, and availability impacts within the unchanged scope.
Dell Security Advisory DSA-2026-038 details a security update for multiple vulnerabilities in PowerScale OneFS, including CVE-2026-21425, with mitigation guidance available at https://www.dell.com/support/kbdoc/en-sg/000432452/dsa-2026-038-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9390
Vulnerability details
Dell PowerScale OneFS, versions prior to 9.10.1.6 and versions 9.11.0.0 through 9.12.0.1, contains an incorrect privilege assignment vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Incorrect privilege assignment (CWE-266) directly enables local exploitation for privilege escalation to root/admin level.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly counters incorrect privilege assignment by ensuring accounts receive only the minimum rights needed, blocking the low-privileged local escalation path in OneFS.
Enforces the system's access control policy at runtime, preventing a low-privileged process from exercising the erroneously granted higher privileges.
Governs creation, modification, and privilege assignment for accounts, reducing the likelihood that incorrect privileges are granted in the first place.