CVE-2026-21232
published 2026-02-10CVE-2026-21232: Untrusted pointer dereference in Windows HTTP.sys allows an authorized attacker to elevate privileges locally.
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
Untrusted pointer dereference in Windows HTTP.sys allows an authorized attacker to elevate privileges locally.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_11_23h2 | < 10.0.22631.6649 | 10.0.22631.6649 |
| microsoft | windows_11_24h2 | < 10.0.26100.7781 | 10.0.26100.7781 |
| microsoft | windows_11_25h2 | < 10.0.26200.7781 | 10.0.26200.7781 |
| microsoft | windows_11_version_22h3 | >= 10.0.22631.0 < 10.0.22631.6649 | 10.0.22631.6649 |
| microsoft | windows_11_version_23h2 | >= 10.0.22631.0 < 10.0.22631.6649 | 10.0.22631.6649 |
| microsoft | windows_11_version_24h2 | >= 10.0.26100.0 < 10.0.26100.7840 | 10.0.26100.7840 |
| microsoft | windows_11_version_25h2 | >= 10.0.26200.0 < 10.0.26200.7840 | 10.0.26200.7840 |
| microsoft | windows_11_version_26h1 | >= 10.0.28000.0 < 10.0.28000.1575 | 10.0.28000.1575 |
| microsoft | windows_server_2022_23h2 | < 10.0.25398.2149 | 10.0.25398.2149 |
| microsoft | windows_server_2025 | < 10.0.26100.32313 | 10.0.26100.32313 |
| microsoft | windows_server_2025 | >= 10.0.26100.0 < 10.0.26100.32370 | 10.0.26100.32370 |
| msrc | windows_11_version_23h2_for_arm64-based_systems | — | — |
| msrc | windows_11_version_23h2_for_x64-based_systems | — | — |
| msrc | windows_11_version_24h2_for_arm64-based_systems | — | — |
| msrc | windows_11_version_24h2_for_x64-based_systems | — | — |
| msrc | windows_11_version_25h2_for_arm64-based_systems | — | — |
| msrc | windows_11_version_25h2_for_x64-based_systems | — | — |
| msrc | windows_11_version_26h1_for_arm64-based_systems | — | — |
| msrc | windows_11_version_26h1_for_x64-based_systems | — | — |
| msrc | windows_server_2022_23h2_edition | — | — |
| msrc | windows_server_2025 | — | — |