CVE-2026-21223

Microsoft Edge Elevation Service exposes a privileged COM interface that inadequately validates the privileges of the calling process. A standard (non‑administrator) local user can invoke the IElevatorEdge interface method LaunchUpdateCmdElevatedAndWait, causing the service to execute privileged update commands as LocalSystem. This allows a non‑administrator to enable or disable Windows Virtualization‑Based Security (VBS) by modifying protected system registry keys under HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard. Disabling VBS weakens critical platform protections such as Credential Guard, Hypervisor‑protected Code Integrity (HVCI), and the Secure Kernel, resulting in a security feature bypass.

CVSS v3 5.1 MEDIUM

5.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.5 / Impact : 2.5

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21223	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:*:*:*:*

History

03 Feb 2026, 18:42

Type	Values Removed	Values Added
First Time		Microsoft Microsoft edge Chromium
References	~~() https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21223 -~~	() https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21223 - Vendor Advisory
CPE		cpe:2.3:a:microsoft:edge_chromium::::::::

Information

Published : 2026-01-16 22:16

Updated : 2026-02-03 18:42

NVD link : CVE-2026-21223

Mitre link : CVE-2026-21223

CVE.ORG link : CVE-2026-21223

JSON object : View

Products Affected

microsoft

edge_chromium

CWE

CWE-269

Improper Privilege Management

5.1 /10