CVE-2026-21531

CriticalRCE

Published: 10 February 2026

Published

10 February 2026

Modified

12 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0048 65.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21531 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Azure Conversation Authoring Client Library. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the deserialization flaw in Azure SDK through timely patching as recommended in Microsoft's update guide.

SI-10 Information Input Validation partial match

prevent

Validates untrusted network inputs prior to deserialization by the Azure SDK to block malicious payloads.

SI-16 Memory Protection partial match

prevent

Implements memory protections like ASLR and DEP to mitigate remote code execution from deserialization exploits.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Deserialization vulnerability (CWE-502) in Azure SDK enables remote code execution over the network with no privileges or user interaction (AV:N/AC:L/PR:N/UI:N), directly facilitating exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Deserialization of untrusted data in Azure SDK allows an unauthorized attacker to execute code over a network.

Deeper analysisAI

CVE-2026-21531 is a deserialization of untrusted data vulnerability (CWE-502) in the Azure SDK. Published on 2026-02-10T18:16:35.580, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for severe impact across confidentiality, integrity, and availability.

The vulnerability enables an unauthorized attacker to execute code over a network. Exploitation requires network access with low attack complexity, no privileges, and no user interaction, allowing remote code execution against affected Azure SDK implementations.

Microsoft's Security Response Center provides an update guide for this vulnerability at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21531, which security practitioners should consult for mitigation and patching details.

Details

CWE(s): CWE-502

Affected Products

microsoft

azure conversation authoring client library

1.0.0

CVEs Like This One

CVE-2025-53772Same vendor: Microsoft

CVE-2025-55232Same vendor: Microsoft

CVE-2025-59237Same vendor: Microsoft

CVE-2026-26114Same vendor: Microsoft

CVE-2025-59287Same vendor: Microsoft

CVE-2026-33819Same vendor: Microsoft

CVE-2026-20963Same vendor: Microsoft

CVE-2025-49712Same vendor: Microsoft

CVE-2025-54897Same vendor: Microsoft

CVE-2025-53770Same vendor: Microsoft

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21531
Vendor Advisory · secure@microsoft.com