Cyber Resilience

CVE-2026-21525

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 10 February 2026

Published
10 February 2026
Modified
30 March 2026
KEV Added
10 February 2026
Patch
CVSS Score v3.1 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0496 91.1th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-21525 is a medium-severity NULL Pointer Dereference (CWE-476) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 6.2 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 8.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-21525 is a null pointer dereference vulnerability (CWE-476) in the Windows Remote Access Connection Manager service. Published on 2026-02-10, it carries a CVSS v3.1 base score of 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and affects Windows systems running this component, enabling local denial of service.

An unauthorized attacker with local access to the target system can exploit the vulnerability with low attack complexity and no privileges or user interaction required. Exploitation triggers a null pointer dereference, resulting in a denial of service that causes high availability impact while leaving confidentiality and integrity unaffected.

Microsoft's update guide at msrc.microsoft.com provides patching details and advisories for remediation. Vicarius offers specific detection and mitigation scripts tailored to this DoS issue in the Remote Access Connection Manager. The vulnerability is also listed in CISA's Known Exploited Vulnerabilities catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Null pointer dereference in Windows Remote Access Connection Manager allows an unauthorized attacker to deny service locally.

CWE(s)
KEV Date Added
10 February 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability is a null pointer dereference in a Windows system service that enables local attackers to cause a denial of service via exploitation, directly mapping to Endpoint Denial of Service: Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40413Same product: Microsoft Windows 10 1607
CVE-2026-40414Same product: Microsoft Windows 10 1607
CVE-2026-40401Same product: Microsoft Windows 10 1607
CVE-2026-20875Same product: Microsoft Windows 10 1607
CVE-2026-32071Same product: Microsoft Windows 10 1607
CVE-2025-21285Same product: Microsoft Windows 10 1607
CVE-2026-20846Same product: Microsoft Windows 10 1607
CVE-2026-21510Same product: Microsoft Windows 10 1607both on KEV
CVE-2026-21533Same product: Microsoft Windows 10 1607both on KEV
CVE-2026-20805Same product: Microsoft Windows 10 1607both on KEV

Affected Assets

microsoft
windows 10 1607
≤ 10.0.14393.8868 · ≤ 10.0.14393.8868
microsoft
windows 10 1809
≤ 10.0.17763.8389 · ≤ 10.0.17763.8389
microsoft
windows 10 21h2
≤ 10.0.19044.6937 · ≤ 10.0.19044.6937 · ≤ 10.0.19044.6937
microsoft
windows 10 22h2
≤ 10.0.19045.6937 · ≤ 10.0.19045.6937 · ≤ 10.0.19045.6937
microsoft
windows 11 23h2
≤ 10.0.22631.6649 · ≤ 10.0.22631.6649
microsoft
windows 11 24h2
≤ 10.0.26100.7781 · ≤ 10.0.26100.7781
microsoft
windows 11 25h2
≤ 10.0.26200.7781 · ≤ 10.0.26200.7781
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.8868
microsoft
windows server 2019
≤ 10.0.17763.8389
+3 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely flaw remediation through patching the null pointer dereference in Windows Remote Access Connection Manager as detailed in Microsoft's update guide.

prevent

Requires monitoring and implementing security advisories and directives from MSRC and CISA's Known Exploited Vulnerabilities catalog for this CVE.

detect

Supports vulnerability scanning to identify and prioritize systems vulnerable to this local DoS in Remote Access Connection Manager.

References