CVE-2026-21222 Overview
CVE-2026-21222 is an information disclosure vulnerability in the Microsoft Windows Kernel. The flaw stems from the insertion of sensitive information into a log file [CWE-532]. An authorized local attacker can read these logs to obtain data that should remain protected by the kernel security boundary.
Microsoft assigned a CVSS 3.1 base score of 5.5 (Medium). The vulnerability affects a broad range of Windows client and server editions, from Windows 10 1607 through Windows Server 2025. Exploitation requires local access and low-privilege authentication, but no user interaction.
Critical Impact
A local authenticated attacker can disclose sensitive kernel information by reading log files, potentially exposing data useful for further privilege escalation chains.
Affected Products
- Microsoft Windows 10 (1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (23H2, 24H2)
- Microsoft Windows Server 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2026-02-10 - CVE-2026-21222 published to NVD
- 2026-02-11 - Last updated in NVD database
Technical Details for CVE-2026-21222
Vulnerability Analysis
The vulnerability is categorized under [CWE-532]: Insertion of Sensitive Information into Log File. The Windows Kernel writes data to a log destination that does not enforce the same access restrictions as the original data source. As a result, content intended to stay within a protected kernel context becomes readable by lower-privileged contexts that can access the log.
The attack vector is local, attack complexity is low, and only low privileges are required. The impact is confined to confidentiality. Integrity and availability are unaffected, which aligns with a pure information disclosure issue rather than a memory corruption or code execution flaw.
The current EPSS probability is 0.047%, indicating low predicted exploitation activity. However, information disclosure flaws in the kernel are frequently chained with other primitives, such as a kernel address leak that supports a subsequent elevation of privilege exploit.
Root Cause
The root cause is improper handling of sensitive data during kernel logging operations. The kernel records diagnostic or operational events that include values, addresses, or identifiers which should never leave a privileged trust boundary. Because the log file is accessible to authenticated users with standard rights, the data crosses that boundary.
Attack Vector
An attacker must first obtain authenticated local access to the target system, for example through a standard user account, a compromised service, or an interactive session. The attacker then reads the affected log artifacts produced by the kernel. No user interaction is required, and the scope remains unchanged because the attacker stays within their existing security context while reading data they should not see.
The vulnerability does not lend itself to remote exploitation. No public proof-of-concept code is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
See the Microsoft Security Update Guide entry for CVE-2026-21222 for vendor technical details.
Detection Methods for CVE-2026-21222
Indicators of Compromise
- Unexpected read access to Windows kernel-related log files by standard user accounts or non-administrative processes.
- Local processes enumerating event log directories or copying log artifacts to user-writable locations.
- Scripted access patterns against %SystemRoot%\System32\winevt\Logs\ or related kernel diagnostic outputs from unsigned binaries.
Detection Strategies
- Monitor file access telemetry for log files read by processes that do not normally consume them, especially when run under low-privilege user contexts.
- Correlate local logon events with subsequent reconnaissance behavior such as bulk log enumeration or kernel diagnostic queries.
- Apply behavioral analytics to flag information-gathering activity that typically precedes a local privilege escalation chain.
Monitoring Recommendations
- Enable object access auditing on sensitive log paths and forward Security event logs to a centralized SIEM for retention and correlation.
- Track non-administrative process access to kernel-related logs and alert on anomalies against an established baseline.
- Review patch deployment status across all in-scope Windows builds to ensure no host remains unpatched after the February 2026 update cycle.
How to Mitigate CVE-2026-21222
Immediate Actions Required
- Apply the Microsoft security update referenced in the MSRC advisory for CVE-2026-21222 to all affected Windows 10, Windows 11, and Windows Server systems.
- Prioritize patching on multi-user systems, terminal servers, and jump hosts where untrusted local accounts may exist.
- Restrict interactive and remote logon rights on sensitive servers to reduce the population of local users able to reach the vulnerable log surface.
Patch Information
Microsoft has released security updates addressing CVE-2026-21222 across all supported Windows builds listed in the affected products section. Administrators should consult the Microsoft Security Update Guide for KB numbers specific to each operating system version and deploy through Windows Update, WSUS, Microsoft Intune, or Configuration Manager.
Workarounds
- No vendor-supplied workaround replaces the patch. Apply the security update as the primary remediation.
- As a compensating control, tighten access control lists on affected kernel log paths and limit which accounts can read them.
- Reduce the local attack surface by enforcing least privilege, disabling unused local accounts, and requiring strong authentication for interactive logon.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
