CVE-2026-21525

MediumCISA KEVActive Exploitation

Published: 10 February 2026

Published

10 February 2026

Modified

30 March 2026

KEV Added

10 February 2026

Patch

—

CVSS Score 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0939 92.9th percentile

Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21525 is a medium-severity NULL Pointer Dereference (CWE-476) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 6.2 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 7.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely flaw remediation through patching the null pointer dereference in Windows Remote Access Connection Manager as detailed in Microsoft's update guide.

SI-5 Security Alerts, Advisories, and Directives partial match

prevent

Requires monitoring and implementing security advisories and directives from MSRC and CISA's Known Exploited Vulnerabilities catalog for this CVE.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Supports vulnerability scanning to identify and prioritize systems vulnerable to this local DoS in Remote Access Connection Manager.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The vulnerability is a null pointer dereference in a Windows system service that enables local attackers to cause a denial of service via exploitation, directly mapping to Endpoint Denial of Service: Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Null pointer dereference in Windows Remote Access Connection Manager allows an unauthorized attacker to deny service locally.

Deeper analysisAI

CVE-2026-21525 is a null pointer dereference vulnerability (CWE-476) in the Windows Remote Access Connection Manager service. Published on 2026-02-10, it carries a CVSS v3.1 base score of 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and affects Windows systems running this component, enabling local denial of service.

An unauthorized attacker with local access to the target system can exploit the vulnerability with low attack complexity and no privileges or user interaction required. Exploitation triggers a null pointer dereference, resulting in a denial of service that causes high availability impact while leaving confidentiality and integrity unaffected.

Microsoft's update guide at msrc.microsoft.com provides patching details and advisories for remediation. Vicarius offers specific detection and mitigation scripts tailored to this DoS issue in the Remote Access Connection Manager. The vulnerability is also listed in CISA's Known Exploited Vulnerabilities catalog.

Details

CWE(s): CWE-476
KEV Date Added: 10 February 2026

Affected Products

microsoft

windows 10 1607

≤ 10.0.14393.8868 · ≤ 10.0.14393.8868

microsoft

windows 10 1809

≤ 10.0.17763.8389 · ≤ 10.0.17763.8389

microsoft

windows 10 21h2

≤ 10.0.19044.6937 · ≤ 10.0.19044.6937 · ≤ 10.0.19044.6937

microsoft

windows 10 22h2

≤ 10.0.19045.6937 · ≤ 10.0.19045.6937 · ≤ 10.0.19045.6937

microsoft

windows 11 23h2

≤ 10.0.22631.6649 · ≤ 10.0.22631.6649

microsoft

windows 11 24h2

≤ 10.0.26100.7781 · ≤ 10.0.26100.7781

microsoft

windows 11 25h2

≤ 10.0.26200.7781 · ≤ 10.0.26200.7781

microsoft

windows server 2012

all versions, r2

microsoft

windows server 2016

≤ 10.0.14393.8868

microsoft

windows server 2019

≤ 10.0.17763.8389

+3 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2026-20875Same product: Microsoft Windows 10 1607

CVE-2026-32071Same product: Microsoft Windows 10 1607

CVE-2025-21285Same product: Microsoft Windows 10 1607

CVE-2026-21510Same product: Microsoft Windows 10 1607both on KEV

CVE-2026-21513Same product: Microsoft Windows 10 1607both on KEV

CVE-2026-21533Same product: Microsoft Windows 10 1607both on KEV

CVE-2026-20846Same product: Microsoft Windows 10 1607

CVE-2026-20805Same product: Microsoft Windows 10 1607both on KEV

CVE-2026-40413Same product: Microsoft Windows 10 1607

CVE-2026-40414Same product: Microsoft Windows 10 1607

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21525
Vendor Advisory · secure@microsoft.com
https://www.vicarius.io/vsociety/posts/cve-2026-21525-detection-script-dos-vulnerability-in-windows-remote-access-connection-manager
Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.vicarius.io/vsociety/posts/cve-2026-21525-mitigation-script-dos-vulnerability-in-windows-remote-access-connection-manager
Mitigation, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21525
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0