Cyber Resilience

CVE-2026-23674

High

Published: 10 March 2026

Published
10 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0014 34.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23674 is a high-severity Improper Resolution of Path Equivalence (CWE-41) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Subvert Trust Controls (T1553); ranked at the 34.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23674 is an improper resolution of path equivalence vulnerability in the Windows MapUrlToZone function, which affects Windows operating systems. This flaw allows an unauthorized attacker to bypass a security feature over a network, as detailed in its description and associated with CWE-41 (Improper Resolution of Path Equivalence). The vulnerability received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity primarily due to its confidentiality impact.

The attack scenario involves a remote, unauthenticated attacker with no privileges or user interaction required. By exploiting the improper path equivalence handling in MapUrlToZone, the attacker can bypass Windows security zone restrictions, potentially achieving high confidentiality impact such as unauthorized access to sensitive data that would otherwise be protected by zone-based policies.

Microsoft's Security Response Center provides guidance on this vulnerability through its update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23674, which details available patches and mitigation recommendations for affected Windows systems.

EU & UK References

Vulnerability details

Improper resolution of path equivalence in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1553 Subvert Trust Controls Defense Impairment
Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs.
Why these techniques?

Directly enables bypassing Windows URL security zone trust controls (MapUrlToZone), mapping to subverting trust controls for unauthorized data access.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21332Same product: Microsoft Windows 10 1607
CVE-2026-34329Same product: Microsoft Windows 10 1607
CVE-2026-25174Same product: Microsoft Windows 10 1607
CVE-2026-27920Same product: Microsoft Windows 10 1607
CVE-2026-40401Same product: Microsoft Windows 10 1607
CVE-2026-27910Same product: Microsoft Windows 10 1607
CVE-2026-26180Same product: Microsoft Windows 10 1607
CVE-2026-34338Same product: Microsoft Windows 10 1607
CVE-2026-32077Same product: Microsoft Windows 10 1607
CVE-2026-27916Same product: Microsoft Windows 10 1607

Affected Assets

microsoft
windows 10 1607
≤ 10.0.14393.8957 · ≤ 10.0.14393.8957
microsoft
windows 10 1809
≤ 10.0.17763.8511 · ≤ 10.0.17763.8511
microsoft
windows 10 21h2
≤ 10.0.19044.7058 · ≤ 10.0.19044.7058 · ≤ 10.0.19044.7058
microsoft
windows 10 22h2
≤ 10.0.19045.7058 · ≤ 10.0.19045.7058 · ≤ 10.0.19045.7058
microsoft
windows 11 23h2
≤ 10.0.22631.6783 · ≤ 10.0.22631.6783
microsoft
windows 11 24h2
≤ 10.0.26100.7979 · ≤ 10.0.26100.7979
microsoft
windows 11 25h2
≤ 10.0.26200.7979 · ≤ 10.0.26200.7979
microsoft
windows 11 26h1
≤ 10.0.28000.1719 · ≤ 10.0.28000.1719
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.8957
+4 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the improper path equivalence flaw in Windows MapUrlToZone by requiring timely application of vendor-provided patches.

detect

Enables identification of CVE-2026-23674 through regular vulnerability scanning of Windows systems to facilitate proactive patching.

prevent

Establishes secure configuration settings for Windows security zones to restrict information flows and mitigate potential zone bypass impacts.

References