Critical Local Privilege Escalation (CVE‑2026‑21250) Discovered in Windows 11 24H2, 25H2 and Windows Server 2022
What Happened – A new CVE (2026‑21250) in the HTTP.sys kernel driver allows an unprivileged user to execute arbitrary code with SYSTEM rights on Windows 11 24H2/25H2 and Windows Server 2022 23H2. Public exploit code (EDB‑52546) demonstrates a local request that triggers a blue‑screen and privilege escalation.
Why It Matters for TPRM –
- The flaw resides in a core OS component used across virtually all enterprise endpoints and cloud‑hosted Windows workloads.
- Exploitation can lead to full control of a compromised host, enabling lateral movement, data exfiltration, or ransomware deployment.
- Third‑party service providers that manage Windows environments (MSPs, MSSPs, cloud hosts) may inherit the risk if patches are not applied promptly.
Who Is Affected – Enterprises running Windows 11 24H2/25H2 desktops, laptops, or Windows Server 2022 23H2 (including SaaS platforms, VDI, and managed services).
Recommended Actions –
- Verify patch status for CVE‑2026‑21250 (Microsoft security advisory).
- Prioritize deployment of the out‑of‑band update to all affected endpoints.
- Review third‑party contracts for OS patch‑management clauses; request evidence of timely remediation.
Technical Notes – The exploit abuses a malformed HTTP header (X‑Trigger‑Ptr) sent to the HTTP.sys driver, causing a kernel‑mode memory corruption that escalates privileges. No CVE‑specific mitigation existed at disclosure; Microsoft released a security update on 2026‑02‑27. Source: Exploit‑DB 52546