Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-21530

CVE-2026-21530: Windows 10 1607 Privilege Escalation Flaw

CVE-2026-21530 is a privilege escalation vulnerability in Microsoft Windows 10 1607 caused by a double free in Windows Rich Text Edit. This article covers the technical details, affected versions, and mitigation steps.

Published:

CVE-2026-21530 Overview

CVE-2026-21530 is a double free vulnerability [CWE-415] in the Windows Rich Text Edit control. An authenticated local attacker can exploit the flaw to elevate privileges on affected Windows client and server systems. Successful exploitation requires user interaction and high attack complexity, which limits opportunistic abuse but does not eliminate risk in targeted scenarios. Microsoft has published a security advisory and patch guidance for all supported Windows 10, Windows 11, and Windows Server releases. The CVSS 3.1 base score is 6.7, and EPSS data places exploitation probability at 0.053% as of 2026-05-17.

Critical Impact

Successful exploitation grants high impact to confidentiality, integrity, and availability, enabling privilege escalation that can lead to full system compromise on a wide range of Windows builds.

Affected Products

  • Microsoft Windows 10 (1607, 1809, 21H2, 22H2) across x86, x64, and ARM64
  • Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1) across x64 and ARM64
  • Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025

Discovery Timeline

  • 2026-05-12 - CVE-2026-21530 published to NVD
  • 2026-05-14 - Last updated in NVD database

Technical Details for CVE-2026-21530

Vulnerability Analysis

The vulnerability resides in the Windows Rich Text Edit control, a shared user-interface component used by numerous applications to render and edit RTF content. A double free condition [CWE-415] occurs when the component releases the same heap allocation twice during a specific sequence of operations on rich text data. The flaw is local in scope and requires the attacker to already possess low-level privileges on the target host. User interaction is also required, typically through opening or manipulating a crafted document or UI element that drives the vulnerable control into the faulty state.

Root Cause

The root cause is improper memory management within the Rich Text Edit control. When a particular object lifecycle path is triggered, the allocator's bookkeeping permits a freed pointer to be returned to the free list a second time. This corrupts heap metadata and creates a window where attacker-controlled data can occupy structures the allocator still tracks as live.

Attack Vector

An authorized local user delivers crafted rich text input to an application that hosts the Rich Text Edit control. After convincing the user to perform an action such as opening a document or interacting with a UI prompt, the attacker drives the control into the double free state. The attacker then grooms the heap to land controlled data into the corrupted allocation, ultimately hijacking execution flow within a higher-privileged context to elevate privileges locally.

No verified public proof-of-concept code is currently available. Refer to the Microsoft Security Update CVE-2026-21530 for vendor-supplied technical details.

Detection Methods for CVE-2026-21530

Indicators of Compromise

  • Unexpected crashes or Watson error reports referencing the Rich Text Edit control or riched20.dll / msftedit.dll in user-mode processes.
  • Creation of new local user accounts, service installations, or scheduled tasks shortly after a user opens an RTF or document with embedded rich text content.
  • Token manipulation events where a low-privilege process spawns a child with elevated integrity level.

Detection Strategies

  • Hunt for process crashes in Application event logs (Event ID 1000) tied to the Rich Text Edit libraries, then correlate with subsequent privileged process creation on the same host.
  • Monitor for anomalous parent-child process relationships originating from Office, WordPad-like editors, or other RTF-capable applications launching cmd.exe, powershell.exe, or LOLBins.
  • Apply behavioral analytics that flag local privilege escalation patterns such as access token duplication and integrity level changes from Medium to High or System.

Monitoring Recommendations

  • Enable Windows Defender Exploit Guard and PowerShell script block logging to capture post-exploitation activity on affected endpoints.
  • Forward Sysmon Event IDs 1, 10, and 11 to a centralized analytics platform to correlate process creation, handle access, and file write events linked to RTF-handling applications.
  • Review elevation of privilege audit events (Event IDs 4672 and 4673) on workstations where standard users do not normally trigger them.

How to Mitigate CVE-2026-21530

Immediate Actions Required

  • Apply Microsoft's May 2026 security update for every affected Windows 10, Windows 11, and Windows Server release listed in the advisory.
  • Prioritize patching multi-user systems such as Remote Desktop Session Hosts, VDI pools, and shared workstations where local privilege escalation has the greatest blast radius.
  • Restrict the ability of standard users to open untrusted RTF or rich text content from email and external sources.

Patch Information

Microsoft has released cumulative updates addressing CVE-2026-21530 through the standard Windows Update channel. See the Microsoft Security Update CVE-2026-21530 advisory for the specific KB articles applicable to each supported build.

Workarounds

  • Block or quarantine inbound RTF attachments at the mail gateway until patching is complete on all endpoints.
  • Enforce least privilege by removing local administrator rights from standard user accounts to reduce post-exploitation impact.
  • Use Attack Surface Reduction rules in Microsoft Defender to block Office applications from creating child processes, limiting common follow-on exploitation paths.
bash
# Verify the latest cumulative update is installed and list recent hotfixes
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 10

# Trigger Windows Update scan and install available security updates
UsoClient StartScan
UsoClient StartDownload
UsoClient StartInstall

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.