CVE-2026-27906

Published: Apr 14, 2026Modified: Apr 23, 2026

4.4

Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Exploitability: 0.8 / Impact: 3.6

Source: secure@microsoft.com (Secondary)

Description

Improper input validation in Windows Hello allows an authorized attacker to bypass a security feature locally.

Affected (14)

Products: Microsoft: Windows 10 21h2, Windows 10 22h2, Windows 11 23h2, Windows 11 24h2, Windows 11 25h2, Windows 11 26h1

6 products

Windows 10 21h2

Windows 10 22h2

Windows 11 23h2

Windows 11 24h2

Windows 11 25h2

Windows 11 26h1

Configuration A

14 vulnerable

Vulnerable Software	Affected Versions
Microsoft Windows 10 21h2	Before 10.0.19044.7184
Microsoft Windows 10 21h2	Before 10.0.19044.7184
Microsoft Windows 10 21h2	Before 10.0.19044.7184
Microsoft Windows 10 22h2	Before 10.0.19045.7184
Microsoft Windows 10 22h2	Before 10.0.19045.7184
Microsoft Windows 10 22h2	Before 10.0.19045.7184
Microsoft Windows 11 23h2	Before 10.0.22631.6936
Microsoft Windows 11 23h2	Before 10.0.22631.6936
Microsoft Windows 11 24h2	Before 10.0.26100.8246
Microsoft Windows 11 24h2	Before 10.0.26100.8246
Microsoft Windows 11 25h2	Before 10.0.26200.8246
Microsoft Windows 11 25h2	Before 10.0.26200.8246
Microsoft Windows 11 26h1	Before 10.0.28000.1836
Microsoft Windows 11 26h1	Before 10.0.28000.1836

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (1)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27906

Source: secure@microsoft.com

Vendor Advisory

Timeline

No history available yet.