Cyber Resilience

CVE-2026-32225

High

Published: 14 April 2026

Published
14 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0091 55.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32225 is a high-severity Protection Mechanism Failure (CWE-693) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Mark-of-the-Web Bypass (T1553.005); ranked in the top 44.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-32225 is a protection mechanism failure vulnerability in the Windows Shell, published on 2026-04-14. It enables an unauthorized attacker to bypass a security feature over a network and is associated with CWE-693. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impacts.

The attack requires no privileges from the attacker (PR:N) and can be conducted over the network (AV:N) with low complexity (AC:L), though it necessitates user interaction (UI:R). Successful exploitation allows the attacker to bypass the protection mechanism, resulting in high confidentiality, integrity, and availability impacts on the affected system.

Mitigation details are available in the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32225.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1553.005 Mark-of-the-Web Bypass Defense Impairment
Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls.
Why these techniques?

Protection mechanism failure in Windows Shell directly enables Mark-of-the-Web bypass (sub-technique of Subvert Trust Controls) via network vector with user interaction, matching CWE-693 and described security feature bypass.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-24061Same product: Microsoft Windows 10 1607
CVE-2025-49740Same product: Microsoft Windows 10 1607
CVE-2026-32202Same product: Microsoft Windows 10 1607
CVE-2026-21510Same product: Microsoft Windows 10 1607
CVE-2026-21513Same product: Microsoft Windows 10 1607
CVE-2026-24294Same product: Microsoft Windows 10 1607
CVE-2026-40413Same product: Microsoft Windows 10 1607
CVE-2026-23669Same product: Microsoft Windows 10 1607
CVE-2026-26160Same product: Microsoft Windows 10 1607
CVE-2026-33838Same product: Microsoft Windows 10 1607

Affected Assets

microsoft
windows 10 1607
≤ 10.0.14393.9060 · ≤ 10.0.14393.9060
microsoft
windows 10 1809
≤ 10.0.17763.8644 · ≤ 10.0.17763.8644
microsoft
windows 10 21h2
≤ 10.0.19044.7184 · ≤ 10.0.19044.7184 · ≤ 10.0.19044.7184
microsoft
windows 10 22h2
≤ 10.0.19045.7184 · ≤ 10.0.19045.7184 · ≤ 10.0.19045.7184
microsoft
windows 11 23h2
≤ 10.0.22631.6936 · ≤ 10.0.22631.6936
microsoft
windows 11 24h2
≤ 10.0.26100.8246 · ≤ 10.0.26100.8246
microsoft
windows 11 25h2
≤ 10.0.26200.8246 · ≤ 10.0.26200.8246
microsoft
windows 11 26h1
≤ 10.0.28000.1836 · ≤ 10.0.28000.1836
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.9060
+4 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification, reporting, and correction of flaws such as the Windows Shell protection mechanism failure via timely patching as advised in the MSRC guidance.

prevent

Ensures organizations receive and act on security advisories like the MSRC update for CVE-2026-32225 to enable rapid flaw remediation and mitigation deployment.

prevent

Monitors and controls communications at system boundaries to block unauthorized network access required for exploiting the Windows Shell vulnerability.

References