Cyber Posture

CVE-2026-26170

High

Published: 14 April 2026

Published
14 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0008 22.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26170 is a high-severity Improper Input Validation (CWE-20) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mandates validation of all information inputs, addressing the core improper input validation flaw (CWE-20) in PowerShell that enables privilege escalation.

SI-2 Flaw Remediation good match
preventrecover

Requires timely identification, reporting, and correction of system flaws like this CVE through patching and updates as per Microsoft guidance.

AC-6 Least Privilege partial match
prevent

Enforces least privilege to restrict low-privileged local attackers from achieving high-impact escalation even if the input validation vulnerability is exploited.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Local improper input validation in PowerShell directly enables privilege escalation with high impact, mapping to T1068 Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper input validation in Microsoft PowerShell allows an authorized attacker to elevate privileges locally.

Deeper analysisAI

CVE-2026-26170 is an improper input validation vulnerability (CWE-20) in Microsoft PowerShell. Published on 2026-04-14T18:16:51.263, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact with relatively low barriers to exploitation.

The vulnerability enables a local authorized attacker possessing low privileges to exploit improper input validation in PowerShell. Exploitation requires local access and low attack complexity with no user interaction, allowing the attacker to elevate privileges and achieve high confidentiality, integrity, and availability impacts on the affected system.

Mitigation guidance is available in the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26170.

Details

CWE(s)
CWE-20

Affected Products

microsoft
windows 10 1607
≤ 10.0.14393.9060 · ≤ 10.0.14393.9060
microsoft
windows 10 1809
≤ 10.0.17763.8644 · ≤ 10.0.17763.8644
microsoft
windows 10 21h2
≤ 10.0.19044.7184 · ≤ 10.0.19044.7184 · ≤ 10.0.19044.7184
microsoft
windows 10 22h2
≤ 10.0.19045.7184 · ≤ 10.0.19045.7184 · ≤ 10.0.19045.7184
microsoft
windows 11 23h2
≤ 10.0.22631.6936 · ≤ 10.0.22631.6936
microsoft
windows 11 24h2
≤ 10.0.26100.8246 · ≤ 10.0.26100.8246
microsoft
windows 11 25h2
≤ 10.0.26200.8246 · ≤ 10.0.26200.8246
microsoft
windows 11 26h1
≤ 10.0.28000.1836 · ≤ 10.0.28000.1836
microsoft
windows server 2016
≤ 10.0.14393.9060
microsoft
windows server 2019
≤ 10.0.17763.8644
+3 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2026-32149Same product: Microsoft Windows 10 1607
CVE-2026-26156Same product: Microsoft Windows 10 1607
CVE-2026-26161Same product: Microsoft Windows 10 1809
CVE-2026-32164Same product: Microsoft Windows 10 1607
CVE-2026-32089Same product: Microsoft Windows 10 1607
CVE-2026-32091Same product: Microsoft Windows 10 1607
CVE-2026-33098Same product: Microsoft Windows 10 1607
CVE-2026-27911Same product: Microsoft Windows 10 1607
CVE-2025-21235Same product: Microsoft Windows 10 21H2
CVE-2025-21234Same product: Microsoft Windows 10 21H2

References