CVE-2026-26162 Overview
CVE-2026-26162 is a type confusion vulnerability in Windows Object Linking and Embedding (OLE) that allows an authorized local attacker to elevate privileges. The flaw, classified under [CWE-843], stems from access of a resource using an incompatible type within the OLE subsystem. Successful exploitation grants the attacker high impact on confidentiality, integrity, and availability of the affected host. The vulnerability affects a wide range of supported Windows client and server versions, including Windows 10, Windows 11, and Windows Server 2012 through 2025.
Critical Impact
An authenticated local user can leverage type confusion in Windows OLE to execute code with elevated privileges, leading to full host compromise.
Affected Products
- Microsoft Windows 10 (1607, 1809, 21H2, 22H2) across x86, x64, and ARM64 architectures
- Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1) across x64 and ARM64 architectures
- Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2026-04-14 - CVE-2026-26162 published to the National Vulnerability Database
- 2026-04-24 - Last updated in NVD database
Technical Details for CVE-2026-26162
Vulnerability Analysis
The vulnerability resides in the Windows OLE component, a long-standing inter-process and inter-application data exchange subsystem used across the Windows ecosystem. OLE serializes and deserializes structured objects between processes and applications, and these objects carry type metadata that the runtime trusts when dispatching method calls or accessing fields. When that type information is interpreted inconsistently, the code path operates on memory that was laid out for a different type.
Type confusion conditions [CWE-843] in COM and OLE pathways have historically been valuable to attackers because the affected objects often cross security boundaries. In this case, the attacker is already authenticated on the system but holds limited privileges. By triggering the mismatched type interpretation, the attacker can manipulate object state in ways the developer did not anticipate, redirecting control flow or corrupting pointers that the OLE runtime subsequently dereferences with higher privileges.
Root Cause
The root cause is improper validation of object type identity before access. The OLE runtime accepts an object of one type and operates on it as if it were a different, incompatible type. This causes virtual table pointers, field offsets, or embedded handles to be interpreted incorrectly, resulting in memory access that escapes the boundaries the type system was meant to enforce.
Attack Vector
Exploitation requires local access and low privileges, with no user interaction. An attacker running code as a standard user crafts a malicious OLE object or sequence of OLE interactions designed to trigger the mismatched type path. When a privileged process consumes that object or shares the affected OLE state, the corrupted memory leads to controlled execution at a higher integrity level. No verified public proof-of-concept code or in-the-wild exploitation has been reported.
// No verified exploitation code is publicly available for CVE-2026-26162.
// Refer to the Microsoft Security Response Center advisory for technical details.
Detection Methods for CVE-2026-26162
Indicators of Compromise
- Unexpected child processes spawned by OLE-hosting binaries such as ole32.dll, oleaut32.dll, or applications embedding OLE objects, particularly those launching shells or LOLBins.
- Crashes or access violations originating in ole32.dll or combase.dll followed shortly by privileged process activity from the same user session.
- Standard-user processes acquiring SYSTEM or administrative tokens without an expected elevation prompt.
Detection Strategies
- Hunt for behavioral chains where an unprivileged process loads OLE-related modules and is followed by token manipulation or process injection into a higher-integrity target.
- Correlate Windows Error Reporting (WER) and crash telemetry that references OLE modules with subsequent privilege changes on the same host within a short time window.
- Apply EDR rules that flag suspicious COM/OLE marshaling activity originating from non-interactive or recently spawned medium-integrity processes.
Monitoring Recommendations
- Enable detailed process creation auditing with command-line logging (Event ID 4688) and Sysmon to capture parent-child relationships involving OLE host processes.
- Forward endpoint telemetry to a centralized analytics platform and retain crash, module-load, and token-elevation events for retrospective hunting.
- Track patch deployment state per host so unpatched systems running OLE-heavy workloads receive heightened monitoring until remediation completes.
How to Mitigate CVE-2026-26162
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft Security Update CVE-2026-26162 advisory to every affected Windows client and server build.
- Prioritize patching on multi-user systems, jump servers, and developer workstations where local low-privilege accounts are common.
- Audit local accounts and remove unnecessary interactive logon rights to reduce the population of users who can reach the local attack vector.
Patch Information
Microsoft has released security updates for all affected Windows versions through the Microsoft Security Response Center. Refer to the Microsoft Security Update CVE-2026-26162 advisory for the specific KB articles applicable to each Windows 10, Windows 11, and Windows Server build listed in the affected products section.
Workarounds
- No vendor-supplied workaround is documented; installing the security update is the supported remediation path.
- Enforce least-privilege policies and application control (for example, Windows Defender Application Control or AppLocker) to limit which binaries unprivileged users can execute while patches are staged.
- Restrict execution of untrusted documents and OLE-embedding file types from email and web sources using attachment filtering and Protected View.
# Verify installed updates on a Windows host
wmic qfe list brief /format:table
# PowerShell alternative
Get-HotFix | Sort-Object -Property InstalledOn -Descending
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
