⚠ Actively exploited

Added to CISA KEV on 2026-02-10. Federal agencies required to patch by 2026-03-03. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2026-21525

CWE-476 — NULL Pointer Dereference7 documents7 sources

Severity

6.2MEDIUM

EPSS

11.8%

top 6.28%

CISA KEV

KEV

Added 2026-02-10

Due 2026-03-03

Exploit

No known exploits

Affected products

Microsoft Windows 10 Version 1607 Microsoft Windows 10 Version 1809 Microsoft Windows 10 Version 21h2 +25 more

Timeline

PublishedFeb 10

KEV addedFeb 10

KEV dueMar 3

CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Null pointer dereference in Windows Remote Access Connection Manager allows an unauthorized attacker to deny service locally.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.5 | Impact: 3.6

Affected Packages28 packages

▶NVDmicrosoft/windows< 10.0.14393.8868+5

▶NVDmicrosoft/windows_10_1607< 10.0.14393.8868

▶NVDmicrosoft/windows_10_1809< 10.0.17763.8389

▶NVDmicrosoft/windows_10_21h2< 10.0.19044.6937

▶NVDmicrosoft/windows_10_22h2< 10.0.19045.6937

🔴Vulnerability Details

GHSA

GHSA-cf8p-vhmm-h7g6: Null pointer dereference in Windows Remote Access Connection Manager allows an unauthorized attacker to deny service locally↗2026-02-10

▶

CVEList

Windows Remote Access Connection Manager Denial of Service Vulnerability↗2026-02-10

▶

VulnCheck

Microsoft Windows NULL Pointer Dereference Vulnerability↗2026

▶

📋Vendor Advisories

CISA

Microsoft Windows NULL Pointer Dereference Vulnerability↗2026-02-10

▶

Microsoft

Windows Remote Access Connection Manager Denial of Service Vulnerability↗2026-02-10

▶

🕵️Threat Intelligence

Wiz

CVE-2026-21525 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶