cbcvebase.
CVE-2026-21250
published 2026-02-10

CVE-2026-21250: Untrusted pointer dereference in Windows HTTP.sys allows an authorized attacker to elevate privileges locally.

high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
Untrusted pointer dereference in Windows HTTP.sys allows an authorized attacker to elevate privileges locally.

Affected

16 ranges
VendorProductVersion rangeFixed in
microsoftwindows_11_24h2< 10.0.26100.778110.0.26100.7781
microsoftwindows_11_25h2< 10.0.26200.778110.0.26200.7781
microsoftwindows_11_version_24h2>= 10.0.26100.0 < 10.0.26100.784010.0.26100.7840
microsoftwindows_11_version_25h2>= 10.0.26200.0 < 10.0.26200.784010.0.26200.7840
microsoftwindows_11_version_26h1>= 10.0.28000.0 < 10.0.28000.157510.0.28000.1575
microsoftwindows_server_2022_23h2< 10.0.25398.214910.0.25398.2149
microsoftwindows_server_2025< 10.0.26100.3231310.0.26100.32313
microsoftwindows_server_2025>= 10.0.26100.0 < 10.0.26100.3237010.0.26100.32370
msrcwindows_11_version_24h2_for_arm64-based_systems
msrcwindows_11_version_24h2_for_x64-based_systems
msrcwindows_11_version_25h2_for_arm64-based_systems
msrcwindows_11_version_25h2_for_x64-based_systems
msrcwindows_11_version_26h1_for_arm64-based_systems
msrcwindows_11_version_26h1_for_x64-based_systems
msrcwindows_server_2022_23h2_edition
msrcwindows_server_2025