CVE-2026-21537

High

Published: 10 February 2026

Published

10 February 2026

Modified

11 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0009 25.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21537 is a high-severity Code Injection (CWE-94) vulnerability in Microsoft Defender For Endpoint. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 25.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation requires timely application of patches for this specific code injection vulnerability in Microsoft Defender for Linux, directly preventing exploitation.

SI-10 Information Input Validation good match

prevent

Information input validation enforces checks on network inputs to Microsoft Defender for Linux, directly mitigating code injection attacks.

SC-7 Boundary Protection partial match

prevent

Boundary protection monitors and controls communications at network interfaces, restricting unauthorized adjacent network access needed to exploit the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

CWE-94 code injection in network-accessible Defender component directly enables remote code execution via exploitation of the service (T1210) and arbitrary command/script execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper control of generation of code ('code injection') in Microsoft Defender for Linux allows an unauthorized attacker to execute code over an adjacent network.

Deeper analysisAI

CVE-2026-21537, published on 2026-02-10T18:16:35.970, is an improper control of generation of code vulnerability classified as CWE-94 (code injection) in Microsoft Defender for Linux. The issue enables an unauthorized attacker to execute code over an adjacent network, earning a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to significant impacts on confidentiality, integrity, and availability.

An attacker positioned on an adjacent network can exploit this vulnerability without privileges or user interaction, requiring only low attack complexity. Exploitation grants the ability to execute arbitrary code on the targeted system running the affected Microsoft Defender for Linux component.

Microsoft's advisory provides details on mitigations and patches at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21537.

Details

CWE(s): CWE-94

Affected Products

microsoft

defender for endpoint

all versions

CVEs Like This One

CVE-2025-21187Same vendor: Microsoft

CVE-2025-21417Same vendor: Microsoft

CVE-2025-21238Same vendor: Microsoft

CVE-2025-21190Same vendor: Microsoft

CVE-2026-26030Same vendor: Microsoft

CVE-2025-49704Same vendor: Microsoft

CVE-2025-21292Same vendor: Microsoft

CVE-2025-21241Same vendor: Microsoft

CVE-2025-65037Same vendor: Microsoft

CVE-2025-24045Same vendor: Microsoft

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21537
Vendor Advisory · secure@microsoft.com