CVE-2026-25166
published 2026-03-10CVE-2026-25166: Deserialization of untrusted data in Windows System Image Manager allows an authorized attacker to execute code locally.
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
Deserialization of untrusted data in Windows System Image Manager allows an authorized attacker to execute code locally.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10_1607 | < 10.0.14393.8957 | 10.0.14393.8957 |
| microsoft | windows_10_1809 | < 10.0.17763.8511 | 10.0.17763.8511 |
| microsoft | windows_10_21h2 | < 10.0.19044.7058 | 10.0.19044.7058 |
| microsoft | windows_10_22h2 | < 10.0.19045.7058 | 10.0.19045.7058 |
| microsoft | windows_11_23h2 | < 10.0.22631.6783 | 10.0.22631.6783 |
| microsoft | windows_11_24h2 | < 10.0.26100.7979 | 10.0.26100.7979 |
| microsoft | windows_11_25h2 | < 10.0.26200.7979 | 10.0.26200.7979 |
| microsoft | windows_11_26h1 | < 10.0.28000.1719 | 10.0.28000.1719 |
| microsoft | windows_adk_for_windows_server_2022 | — | — |
| microsoft | windows_server_2016 | < 10.0.14393.8957 | 10.0.14393.8957 |
| microsoft | windows_server_2019 | < 10.0.17763.8511 | 10.0.17763.8511 |
| microsoft | windows_server_2022 | < 10.0.20348.4830 | 10.0.20348.4830 |
| microsoft | windows_server_2022_23h2 | < 10.0.25398.2207 | 10.0.25398.2207 |
| msrc | windows_adk_for_windows_10_version_2004 | — | — |
| msrc | windows_adk_for_windows_11_version_22h2 | — | — |
| msrc | windows_adk_for_windows_11_version_23h2 | — | — |
| msrc | windows_adk_for_windows_11_version_24h2 | — | — |
| msrc | windows_adk_for_windows_server_2022 | — | — |