CVE-2026-21256
published 2026-02-10CVE-2026-21256: Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to…
PriorityP261high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
1.10%
61.6th percentile
Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to execute code over a network.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | microsoft_visual_studio_2022_version_17.14 | >= 17.14.0 < 17.14.26 | 17.14.26 |
| microsoft | microsoft_visual_studio_2026_version_18.3 | >= 18.3.0 < 18.3.0 | 18.3.0 |
| microsoft | visual_studio_2022 | >= 17.14.0 < 17.14.26 | 17.14.26 |
| msrc | microsoft_visual_studio_2022_version_17.14 | — | — |
| msrc | microsoft_visual_studio_2026_version_18.3 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2026-21256 is a prompt injection leading to RCE in GitHub Copilot / Visual Studio; monitor for anomalous command execution spawned from Copilot or Visual Studio processes following user interaction with Copilot prompts ↗
- →Exploitation requires user interaction with Copilot (UI:R) but no prior network access (AV:N); alert on unexpected child processes or shell commands spawned by Visual Studio or Copilot backend components after a user engages with a Copilot prompt ↗
- ·No public exploit exists as of the advisory date; exploitation is rated 'Less Likely' by Microsoft, and there is no CISA KEV entry ↗
- ·Affected scope is GitHub Copilot and Visual Studio 2022; patches were added for Windows on Feb 11 and Feb 12, 2026 — ensure Visual Studio 2022 ≥ 17.14 or Visual Studio 2026 ≥ 18.3 is deployed ↗
- ·Customer action is required; the vulnerability is not self-remediating and requires manual update of affected Visual Studio / Copilot installations ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
GitHub Copilot and Visual Studio Remote Code Execution Vulnerability
vendor_msrc·2026-02-10·CVSS 8.8
CVE-2026-21256 [HIGH] CWE-77 GitHub Copilot and Visual Studio Remote Code Execution Vulnerability
GitHub Copilot and Visual Studio Remote Code Execution Vulnerability
Description: Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to execute code over a network.
FAQ: How could an attacker exploit this vulnerability?
The AV:N rating indicates the vulnerability is exploitable over the network, meaning an attacker can deliver a malicious prompt remotely without prior access, while UI:R means a user must interact with Copilot for exploitation to occur. Due to prompt injection, the system is coerced into executing attacker-controlled instructions, which can escalate into remote code execution (RCE) when the compromised prompt causes backend components or integrated tools to run unintended
GHSA
GHSA-wr95-24gv-jx75: Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacke
ghsa_unreviewed·2026-02-10
CVE-2026-21256 [HIGH] CWE-77 GHSA-wr95-24gv-jx75: Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacke
Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to execute code over a network.
No detection rules found.
No public exploits indexed.
Sophos
February’s Patch Tuesday assumes battle stations
blogs_sophos·2026-02-13
February’s Patch Tuesday assumes battle stations
Akuter Cyberangriff? Fordern Sie Sofort-Hilfe an
Sophos Central
Partner-Portal
Lizenzen & Accounts
Sophos Home
Sophos Central
Sophos-Central-Anmeldung
Sophos KI
Integrationen
Threat Intelligence
Testversion
Endpoint Protection (Next-Gen Antivirus)
EDR – Endpoint Detection and Response
Server Protection
Mobile Security
XDR – Extended Detection and Response
XDR mit Next-Gen SIEM
ITDR – Identity Threat Detection and Response
Next-Gen Firewall (NGFW)
NDR – Network Detection and Response
Netzwerk-Switches
Wireless Access Points
Workspace Protection
Protected Browser
Zero Trust Network Access (ZTNA)
DNS Protection
Email Monitoring System
E-Mail- und Phishing-Schutz
Awareness-Training für Mitarbeitende
Schutz für Cloud Workloads
Cloud Security Posture Management (CSP
Bleepingcomputer
Microsoft February 2026 Patch Tuesday fixes 6 zero-days, 58 flaws
blogs_bleepingcomputer·2026-02-10·CVSS 8.8
[HIGH] Microsoft February 2026 Patch Tuesday fixes 6 zero-days, 58 flaws
## Microsoft February 2026 Patch Tuesday fixes 6 zero-days, 58 flaws
## Lawrence Abrams
25 Elevation of Privilege vulnerabilities
5 Security Feature Bypass vulnerabilities
12 Remote Code Execution vulnerabilities
6 Information Disclosure vulnerabilities
3 Denial of Service vulnerabilities
7 Spoofing vulnerabilities
When BleepingComputer reports on Patch Tuesday security updates, we only count those released by Microsoft today. Therefore, the number of flaws does not include 3 Microsoft Edge flaws fixed earlier this month.
As part of these updates, Microsoft has also begun to roll out updated Secure Boot certificates to replace the original 2011 certificates that are expiring in late June 2026.
"With this update, Windows quality updates include a broad set of targeting data that i
Krebs
Patch Tuesday, February 2026 Edition
blogs_krebs·2026-02-10·CVSS 7.8
CVE-2026-21510 [HIGH] Patch Tuesday, February 2026 Edition
Microsoft today released updates to fix more than 50 security holes in its Windows operating systems and other software, including patches for a whopping six “zero-day” vulnerabilities that attackers are already exploiting in the wild.
Zero-day #1 this month is CVE-2026-21510, a security feature bypass vulnerability in Windows Shell wherein a single click on a malicious link can quietly bypass Windows protections and run attacker-controlled content without warning or consent dialogs. CVE-2026-21510 affects all currently supported versions of Windows.
The zero-day flaw CVE-2026-21513 is a security bypass bug targeting MSHTML, the proprietary engine of the default Web browser in Windows. CVE-2026-21514 is a related security feature bypass in Microsoft Word.
The zero-day CVE-2026-21533 all
Talos
Microsoft Patch Tuesday for February 2026 — Snort rules and prominent vulnerabilities
blogs_talos·2026-02-10·CVSS 8.8
CVE-2026-21522 [HIGH] Microsoft Patch Tuesday for February 2026 — Snort rules and prominent vulnerabilities
## Microsoft Patch Tuesday for February 2026 — Snort rules and prominent vulnerabilities
Microsoft has released its monthly security update for February 2026, which includes 59 vulnerabilities affecting a range of products, including two that Microsoft marked as “Critical”.
CVE-2026-21522 is a critical elevation of privilege vulnerability affecting Microsoft ACI Confidential Containers. Successful exploitation of this vulnerability could enable an authorized attacker to escalate privileges on affected systems. This vulnerability is not listed as publicly disclosed and received a CVSS 3.1 score of 6.7.
CVE-2026-23655 is a critical information disclosure vulnerability affecting Microsoft ACI Confidential Containers. This vulnerability could enable an authorized attacker to disclose sensit
Krebs
Patch Tuesday, February 2026 Edition
blogs_krebs·2026-02-10·CVSS 7.8
CVE-2026-21510 [HIGH] Patch Tuesday, February 2026 Edition
Microsoft today released updates to fix more than 50 security holes in its Windows operating systems and other software, including patches for a whopping six “zero-day” vulnerabilities that attackers are already exploiting in the wild.
Zero-day #1 this month is CVE-2026-21510 , a security feature bypass vulnerability in Windows Shell wherein a single click on a malicious link can quietly bypass Windows protections and run attacker-controlled content without warning or consent dialogs. CVE-2026-21510 affects all currently supported versions of Windows.
The zero-day flaw CVE-2026-21513 is a security bypass bug targeting MSHTML , the proprietary engine of the default Web browser in Windows. CVE-2026-21514 is a related security feature bypass in Microsoft Word.
The zero-day CVE-2026-21533 a
Talos
Microsoft Patch Tuesday for February 2026 — Snort rules and prominent vulnerabilities
blogs_talos·2026-02-10·CVSS 8.8
CVE-2026-21522 [HIGH] Microsoft Patch Tuesday for February 2026 — Snort rules and prominent vulnerabilities
Microsoft has released its monthly security update for February 2026, which includes 59 vulnerabilities affecting a range of products, including two that Microsoft marked as “Critical”.
CVE-2026-21522 is a critical elevation of privilege vulnerability affecting Microsoft ACI Confidential Containers. Successful exploitation of this vulnerability could enable an authorized attacker to escalate privileges on affected systems. This vulnerability is not listed as publicly disclosed and received a CVSS 3.1 score of 6.7.
CVE-2026-23655 is a critical information disclosure vulnerability affecting Microsoft ACI Confidential Containers. This vulnerability could enable an authorized attacker to disclose sensitive information including secret tokens and keys if successfully exploited. This vulnerabi
Wiz
CVE-2026-21257 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-21257 [MEDIUM] CVE-2026-21257 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21257 :
Visual Studio 2022 vulnerability analysis and mitigation
Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an authorized attacker to elevate privileges over a network.
Source : NVD
## 8
Score
Published February 10, 2026
Severity HIGH
CNA Score 8.0
Affected Technologies
Visual Studio 2022
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:microsoft:visual_studio_2022
Sources
Windows Severity HIGH Has Fix Added at: Feb 11, 2026
Windows Severity HIGH Has Fix Added at: Feb 12, 2026
## Get a CVE risk assessme
Wiz
CVE-2026-21256 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-21256 [MEDIUM] CVE-2026-21256 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21256 :
Visual Studio 2022 vulnerability analysis and mitigation
Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to execute code over a network.
Source : NVD
## 8.8
Score
Published February 10, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Visual Studio 2022
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:microsoft:visual_studio_2022
Sources
Windows Severity HIGH Has Fix Added at: Feb 11, 2026
Windows Severity HIGH Has Fix Added at: Feb 12, 2026
## Get a CVE risk assessment
Sophos
February’s Patch Tuesday assumes battle stations
blogs_sophos
February’s Patch Tuesday assumes battle stations
Share This
Microsoft on Tuesday released 58 patches affecting 15 product families. Five of the addressed issues, all involving Azure, are considered by Microsoft to be of Critical severity, though only two require urgent attention (more on that below). Fifteen have a CVSS base score of 8.0 or higher, including two with a 9.8 base score. Six are known to be under active exploit in the wild, and three are publicly disclosed (including one not yet known to be under exploit).
At patch time, five CVEs are judged more likely to be exploited in the next 30 days by the company’s estimation, in addition to the six already detected to be so. Various of this month’s issues are amenable to direct detection by Sophos protections, and we include information on those in a table below. The release also
2026-02-10
Published