Cyber Resilience

CVE-2026-21531

CriticalRCE

Published: 10 February 2026

Published
10 February 2026
Modified
12 February 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0234 81.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-21531 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Azure Conversation Authoring Client Library. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-21531 is a deserialization of untrusted data vulnerability (CWE-502) in the Azure SDK. Published on 2026-02-10T18:16:35.580, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for severe impact across confidentiality, integrity, and availability.

The vulnerability enables an unauthorized attacker to execute code over a network. Exploitation requires network access with low attack complexity, no privileges, and no user interaction, allowing remote code execution against affected Azure SDK implementations.

Microsoft's Security Response Center provides an update guide for this vulnerability at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21531, which security practitioners should consult for mitigation and patching details.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Deserialization of untrusted data in Azure SDK allows an unauthorized attacker to execute code over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Deserialization vulnerability (CWE-502) in Azure SDK enables remote code execution over the network with no privileges or user interaction (AV:N/AC:L/PR:N/UI:N), directly facilitating exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-59237Same vendor: Microsoft
CVE-2025-55232Same vendor: Microsoft
CVE-2025-53772Same vendor: Microsoft
CVE-2025-49712Same vendor: Microsoft
CVE-2026-26114Same vendor: Microsoft
CVE-2026-33112Same vendor: Microsoft
CVE-2026-40368Same vendor: Microsoft
CVE-2025-59287Same vendor: Microsoft
CVE-2026-41104Same vendor: Microsoft
CVE-2025-53770Same vendor: Microsoft

Affected Assets

microsoft
azure conversation authoring client library
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the deserialization flaw in Azure SDK through timely patching as recommended in Microsoft's update guide.

prevent

Validates untrusted network inputs prior to deserialization by the Azure SDK to block malicious payloads.

prevent

Implements memory protections like ASLR and DEP to mitigate remote code execution from deserialization exploits.

References