CVE-2026-25166

HIGH EPSS 77.9%

Published Mar 10, 20263mo ago · Modified Mar 13, 20263mo ago

7.8 CVSS 3.1

High

Published Mar 10, 2026 3mo ago

Last Modified Mar 13, 2026 3mo ago

Description

Deserialization of untrusted data in Windows System Image Manager allows an authorized attacker to execute code locally.

Base Score

7.8

Exploitability

1.8

Impact

5.9

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector Local

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

EPSS Exploit Probability

77.9% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

CWE-502 Deserialization of Untrusted Data Validation

Vendor	Product	Version	Range
microsoft	windows_10_1607	*	<10.0.14393.8957
microsoft	windows_10_1607	*	<10.0.14393.8957
microsoft	windows_10_1809	*	<10.0.17763.8511
microsoft	windows_10_1809	*	<10.0.17763.8511
microsoft	windows_10_21h2	*	<10.0.19044.7058
microsoft	windows_10_21h2	*	<10.0.19044.7058
microsoft	windows_10_21h2	*	<10.0.19044.7058
microsoft	windows_10_22h2	*	<10.0.19045.7058
microsoft	windows_10_22h2	*	<10.0.19045.7058
microsoft	windows_10_22h2	*	<10.0.19045.7058
microsoft	windows_11_23h2	*	<10.0.22631.6783
microsoft	windows_11_23h2	*	<10.0.22631.6783
microsoft	windows_11_24h2	*	<10.0.26100.7979
microsoft	windows_11_24h2	*	<10.0.26100.7979
microsoft	windows_11_25h2	*	<10.0.26200.7979
microsoft	windows_11_25h2	*	<10.0.26200.7979
microsoft	windows_11_26h1	*	<10.0.28000.1719
microsoft	windows_11_26h1	*	<10.0.28000.1719
microsoft	windows_server_2016	*	<10.0.14393.8957
microsoft	windows_server_2019	*	<10.0.17763.8511
microsoft	windows_server_2022	*	<10.0.20348.4830
microsoft	windows_server_2022_23h2	*	<10.0.25398.2207

msrc.microsoft.com https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25166

Vendor Advisory

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.