CVE-2026-26148
Published: 10 March 2026
Summary
CVE-2026-26148 is a high-severity External Initialization of Trusted Variables or Data Stores (CWE-454) vulnerability in Microsoft Azure Ad Ssh Login Extension For Linux. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 27.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-26148, published on 2026-03-10, is a vulnerability involving external initialization of trusted variables or data stores in Azure Entra ID. This flaw, classified under CWE-454 (External Initialization of Trusted Variables or Data Stores) and NVD-CWE-noinfo, carries a CVSS v3.1 base score of 8.1 (AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts with a changed scope.
An unauthorized attacker with local access (AV:L) can exploit this vulnerability despite requiring no privileges (PR:N). The attack demands high complexity (AC:H) and no user interaction (UI:N), but successful exploitation enables privilege escalation locally, resulting in high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H) within a changed scope (S:C).
For mitigation details, refer to the official advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26148.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10702
Vulnerability details
External initialization of trusted variables or data stores in Azure Entra ID allows an unauthorized attacker to elevate privileges locally.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables local privilege escalation through exploitation, directly mapping to T1068: Exploitation for Privilege Escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CWE-454 by requiring validation of external information inputs before they are trusted as variables or data stores in Azure Entra ID.
Implements a reference monitor mechanism to mediate and enforce access to trusted variables or data stores, preventing unauthorized external initialization and local privilege escalation.
Enforces least privilege to restrict the privileges available for escalation even if external initialization of trusted variables succeeds.