⚠ Actively exploited
Added to CISA KEV on 2026-02-10. Federal agencies required to patch by 2026-03-03. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2026-21519

CWE-8437 documents7 sources
Severity
7.8HIGH
EPSS
4.5%
top 10.83%
CISA KEV
KEV
Added 2026-02-10
Due 2026-03-03
Exploit
No known exploits
Affected products
24
Microsoft Windows 10 Version 1607Microsoft Windows 10 Version 1809Microsoft Windows 10 Version 21h2+21 more
Timeline
PublishedFeb 10
KEV addedFeb 10
KEV dueMar 3
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Access of resource using incompatible type ('type confusion') in Desktop Window Manager allows an authorized attacker to elevate privileges locally.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages24 packages

NVDmicrosoft/windows< 10.0.14393.8868+4
NVDmicrosoft/windows_10_1607< 10.0.14393.8868
NVDmicrosoft/windows_10_1809< 10.0.17763.8389
NVDmicrosoft/windows_10_21h2< 10.0.19044.6937
NVDmicrosoft/windows_10_22h2< 10.0.19045.6937

🔴Vulnerability Details

3
CVEList
Desktop Window Manager Elevation of Privilege Vulnerability2026-02-10
GHSA
GHSA-h77q-4hph-8vf3: Access of resource using incompatible type ('type confusion') in Desktop Window Manager allows an authorized attacker to elevate privileges locally2026-02-10
VulnCheck
Microsoft Windows Type Confusion Vulnerability2026

📋Vendor Advisories

2
CISA
Microsoft Windows Type Confusion Vulnerability2026-02-10
Microsoft
Desktop Window Manager Elevation of Privilege Vulnerability2026-02-10

🕵️Threat Intelligence

1
Wiz
CVE-2026-21519 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-21519 (HIGH CVSS 7.8) | Access of resource using incompatib | cvebase.io