CVE-2026-21537
Published: 10 February 2026
Summary
CVE-2026-21537 is a high-severity Code Injection (CWE-94) vulnerability in Microsoft Defender For Endpoint. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 40.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-21537, published on 2026-02-10T18:16:35.970, is an improper control of generation of code vulnerability classified as CWE-94 (code injection) in Microsoft Defender for Linux. The issue enables an unauthorized attacker to execute code over an adjacent network, earning a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to significant impacts on confidentiality, integrity, and availability.
An attacker positioned on an adjacent network can exploit this vulnerability without privileges or user interaction, requiring only low attack complexity. Exploitation grants the ability to execute arbitrary code on the targeted system running the affected Microsoft Defender for Linux component.
Microsoft's advisory provides details on mitigations and patches at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21537.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7336
Vulnerability details
Improper control of generation of code ('code injection') in Microsoft Defender for Linux allows an unauthorized attacker to execute code over an adjacent network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CWE-94 code injection in network-accessible Defender component directly enables remote code execution via exploitation of the service (T1210) and arbitrary command/script execution (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation requires timely application of patches for this specific code injection vulnerability in Microsoft Defender for Linux, directly preventing exploitation.
Information input validation enforces checks on network inputs to Microsoft Defender for Linux, directly mitigating code injection attacks.
Boundary protection monitors and controls communications at network interfaces, restricting unauthorized adjacent network access needed to exploit the vulnerability.