HIGH 7.8

CVE-2026-33828: Windows Attestation Privilege Escalation Vulnerability (CVSS 7.8)

A security flaw in Windows Attestation allows an authorized user on a Windows system to bypass security boundaries and gain elevated privileges without requiring interaction or elevated starting permissions. The vulnerability affects multiple versions of Windows 10, Windows 11, and Windows Server. An attacker who already has local access to a system can exploit this to run code with higher privileges, potentially compromising the entire system.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-501
Affected products
22 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Trust boundary violation in Windows Attestation allows an authorized attacker to elevate privileges locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-33828 is a trust boundary violation (CWE-501) in the Windows Attestation component. The flaw permits an authenticated, local user to elevate privileges through improper enforcement of security boundaries within the attestation mechanism. With a CVSS 3.1 score of 7.8 (HIGH), the vulnerability requires local access and valid credentials but no user interaction, and impacts confidentiality, integrity, and availability equally. The attack surface is local-only; remote exploitation is not possible.

Business impact

Privilege escalation vulnerabilities in Windows directly threaten endpoint security and data confidentiality. An attacker gaining elevated privileges can install persistent malware, exfiltrate sensitive data, modify system configurations, disable security controls, or pivot to other systems on the network. Organizations with extensive Windows deployments face organizational risk if this vulnerability is left unpatched across their environment. The impact extends to hybrid and cloud infrastructure where Windows VMs are used.

Affected systems

This vulnerability affects a broad range of Windows platforms: Windows 10 versions 1607, 1809, 21H2, and 22H2; Windows 11 versions 23H2, 24H2, 25H2, and 26H1; and Windows Server editions 2016, 2019, 2022, and 2025. The extensive version coverage means most organizations running Windows are likely impacted. Verify the exact patch availability for your specific version against the Microsoft security advisory.

Exploitability

While the vulnerability requires an attacker to already possess valid local credentials, the barrier to exploitation is low once that prerequisite is met. No user interaction is required; the attack executes automatically. The straightforward attack vector (local, low complexity) combined with the direct path to privilege escalation makes this a concerning issue for environments where insider threats, compromised user accounts, or lateral movement scenarios are plausible. The vulnerability has not been added to the CISA Known Exploited Vulnerabilities list as of the available data.

Remediation

Apply the security update from Microsoft targeting this vulnerability across all affected Windows systems. Consult Microsoft's security bulletin for your specific Windows version to identify the correct patch. Given the breadth of affected versions, a phased patching strategy is recommended: prioritize systems handling sensitive data or critical functions, followed by general user endpoints and servers. Test patches in a staging environment before broad deployment.

Patch guidance

Obtain the relevant security update from Microsoft for your Windows version. Verify the patch version number and KB article against the official Microsoft Security Update Guide. For Windows 10 and Windows 11, ensure automatic updates are enabled or manually deploy patches through Windows Update, WSUS, or your organization's patch management system. Windows Server administrators should apply updates during a maintenance window and test thoroughly before production deployment. Check the Microsoft advisory to confirm all affected build numbers are remediated.

Detection guidance

Monitor for local privilege escalation attempts targeting the Windows Attestation component. Detect unusual process execution patterns where low-privilege processes spawn higher-privilege child processes or access system resources unexpectedly. Enable Windows Event Log auditing for privilege use and process creation. Monitor for modifications to attestation-related registry keys or files. Threat detection tools and EDR solutions should flag suspicious local privilege escalation patterns, particularly those exploiting attestation mechanisms.

Why prioritize this

This vulnerability deserves prompt attention due to its HIGH CVSS score (7.8), the broad version coverage affecting most Windows deployments, and the direct path to full system compromise via privilege escalation. While exploitation requires local access, the consequences—complete system compromise—are severe. The lack of user interaction and low complexity of the attack increase risk in multi-user systems or environments where account compromise is a realistic threat. Prioritize patching based on asset criticality and user privilege levels within your organization.

Risk score, explained

The CVSS 3.1 score of 7.8 reflects a HIGH severity rating driven by: (1) local attack vector with low complexity, (2) requirement for low privileges but no user interaction, (3) impact across all three security properties—confidentiality, integrity, and availability—at a high level once elevated, and (4) unchanged scope (contained to the vulnerable system unless lateral movement occurs). The score appropriately conveys that this is a serious privilege escalation that demands rapid remediation.

Frequently asked questions

Do I need elevated privileges to exploit this vulnerability?

No. The vulnerability requires that an attacker already has valid local user credentials, but the exploit itself does not require those credentials to be administrative or elevated. A standard user account is sufficient to trigger the privilege escalation.

Can this vulnerability be exploited remotely?

No. The attack vector is strictly local. An attacker must have access to the system itself, either through a valid user account or by other means of gaining local code execution. Remote exploitation is not possible.

Is there a known public exploit for CVE-2026-33828?

As of the data available, this vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog, suggesting no widespread public exploit is known at this time. However, organizations should prioritize patching regardless, as the vulnerability's straightforward nature may attract adversary interest.

Which Windows versions are affected?

Multiple versions across Windows 10 (1607, 1809, 21H2, 22H2), Windows 11 (23H2, 24H2, 25H2, 26H1), and Windows Server 2016 through 2025 are affected. Verify your specific version and build number against Microsoft's official advisory to confirm your systems require patching.

This analysis is based on vulnerability data available as of the publication date. Patch version numbers, affected build versions, and remediation details must be verified against the official Microsoft Security Update Guide and relevant security advisories. This explainer does not constitute legal or compliance advice. Organizations should conduct their own risk assessment based on their specific infrastructure, use cases, and security posture. References to exploitation assume proper authorization; unauthorized access to computer systems is illegal. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).