CVE-2026-27928

CWE-20 — Improper Input Validation2 documents2 sources

Severity

8.7HIGH

EPSS

No EPSS data

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

7

Microsoft Windows Server 2016 Microsoft Windows Server 2016 (server Core Installation)Microsoft Windows Server 2019 +4 more

Timeline

PublishedApr 14

Description

Improper input validation in Windows Hello allows an unauthorized attacker to bypass a security feature over a network.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.8

Affected Packages7 packages

▶CVEListV5microsoft/windows_server_201610.0.14393.0 — 10.0.14393.9060

▶CVEListV5microsoft/windows_server_201910.0.17763.0 — 10.0.17763.8644

▶CVEListV5microsoft/windows_server_202210.0.20348.0 — 10.0.20348.5020

▶CVEListV5microsoft/windows_server_202510.0.26100.0 — 10.0.26100.32690

▶CVEListV5microsoft/windows_server_2016_(server_core_installation)10.0.14393.0 — 10.0.14393.9060

🔴Vulnerability Details

1

CVEList

Windows Hello Security Feature Bypass Vulnerability↗2026-04-14

▶

CVE-2026-27928 (HIGH CVSS 8.7) | Improper input validation in Window | cvebase.io