CVE-2026-21223 – This vulnerability allows a standard local user... (How to Fix)

Q: What is the severity of CVE-2026-21223?

CVE-2026-21223 has a CVSS score of 7.1 (HIGH). This vulnerability allows a standard local user without administrative privileges to execute privileged update commands via Microsoft Edge's Elevation Service. By exploiting the IElevatorEdge interface, attackers can modify protected system registry keys to disable Windows Virtualization-Based Security (VBS), weakening critical platform protections. This affects Windows systems with Microsoft Edge installed where users have local access.

📋 TL;DR

This vulnerability allows a standard local user without administrative privileges to execute privileged update commands via Microsoft Edge's Elevation Service. By exploiting the IElevatorEdge interface, attackers can modify protected system registry keys to disable Windows Virtualization-Based Security (VBS), weakening critical platform protections. This affects Windows systems with Microsoft Edge installed where users have local access.

💻 Affected Systems

Products:

Microsoft Edge

Versions: Specific versions not specified in CVE; likely multiple versions before patched release

Operating Systems: Windows 10, Windows 11, Windows Server 2016+

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Microsoft Edge Elevation Service running; affects systems with VBS enabled (common in enterprise environments).

📦 What is this software?

Edge Chromium by Microsoft

View all CVEs affecting Edge Chromium →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker disables VBS protections (Credential Guard, HVCI, Secure Kernel), enabling credential theft, malware persistence, and privilege escalation attacks that would normally be blocked.

🟠

Likely Case

Local users disable VBS to bypass security controls for credential theft or malware installation, compromising the host's security posture.

🟢

If Mitigated

With proper access controls and monitoring, exploitation attempts are detected and blocked before VBS is disabled.

🌐 Internet-Facing: LOW - This requires local access to the system; not directly exploitable over the internet.

🏢 Internal Only: HIGH - Any local user (including compromised accounts) can exploit this to weaken critical security features.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Simple local execution of documented COM interface method.

Exploitation requires local user access but no special privileges; method LaunchUpdateCmdElevatedAndWait is directly callable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific Edge version

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21223

Restart Required: Yes

Instructions:

1. Apply latest Microsoft Edge security update via Windows Update. 2. Restart system to ensure Edge Elevation Service is updated. 3. Verify VBS remains enabled post-patch.

🔧 Temporary Workarounds

Disable Edge Elevation Service

windows

Temporarily disable the vulnerable service to prevent exploitation.

sc config EdgeElevationService start= disabled
sc stop EdgeElevationService

Restrict COM Interface Access

windows

Use Component Services (dcomcnfg) to modify permissions on IElevatorEdge interface.

🧯 If You Can't Patch

Implement strict local user access controls and monitor for unauthorized privilege escalation attempts.
Enable enhanced auditing for registry modifications under HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard.

🔍 How to Verify

Check if Vulnerable:

Check if Edge Elevation Service is running and if unpatched Edge version is installed.

Check Version:

msedge --version

Verify Fix Applied:

Verify Edge is updated to patched version and test that LaunchUpdateCmdElevatedAndWait no longer allows VBS modification.

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs: Process creation by EdgeElevationService with elevated privileges
Registry modification events for DeviceGuard keys

Network Indicators:

None - local exploitation only

SIEM Query:

EventID=4688 AND ProcessName="EdgeElevationService.exe" AND IntegrityLevel="System"

📊 Metadata

CVE ID: CVE-2026-21223

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-269

EPSS Score: 0.05% exploit probability (15.2th percentile)

Published: January 16, 2026

Last Updated: February 22, 2026

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21223 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21223, you might also want to check these: