CVE-2026-27906
Improper Input Validation in Windows Hello Enables Local Bypass
Publication date: 2026-04-14
Last updated on: 2026-04-23
Assigner: Microsoft Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microsoft | windows_10_21h2 | to 10.0.19044.7184 (exc) |
| microsoft | windows_10_21h2 | to 10.0.19044.7184 (exc) |
| microsoft | windows_10_21h2 | to 10.0.19044.7184 (exc) |
| microsoft | windows_10_22h2 | to 10.0.19045.7184 (exc) |
| microsoft | windows_10_22h2 | to 10.0.19045.7184 (exc) |
| microsoft | windows_10_22h2 | to 10.0.19045.7184 (exc) |
| microsoft | windows_11_23h2 | to 10.0.22631.6936 (exc) |
| microsoft | windows_11_23h2 | to 10.0.22631.6936 (exc) |
| microsoft | windows_11_24h2 | to 10.0.26100.8246 (exc) |
| microsoft | windows_11_24h2 | to 10.0.26100.8246 (exc) |
| microsoft | windows_11_25h2 | to 10.0.26200.8246 (exc) |
| microsoft | windows_11_25h2 | to 10.0.26200.8246 (exc) |
| microsoft | windows_11_26h1 | to 10.0.28000.1836 (exc) |
| microsoft | windows_11_26h1 | to 10.0.28000.1836 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
This vulnerability involves improper input validation in Windows Hello that allows an authorized attacker to bypass a security feature locally.
To mitigate this vulnerability, it is recommended to apply the security updates provided by Microsoft as soon as they become available.
Since the issue requires local access and an authorized user, limiting local access to trusted users and ensuring systems are updated can reduce risk.
Can you explain this vulnerability to me?
This vulnerability involves improper input validation in Windows Hello, a Microsoft authentication feature.
It allows an authorized attacker to locally bypass a security feature, meaning that someone with some level of access can circumvent protections that are supposed to be enforced by Windows Hello.
How can this vulnerability impact me? :
The impact of this vulnerability is a security feature bypass, which can allow an authorized attacker to circumvent security controls locally.
According to the CVSS score, the confidentiality impact is high, meaning sensitive information could be exposed, but integrity and availability are not affected.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Windows Hello allows an authorized attacker to bypass a security feature locally due to improper input validation.
However, there is no specific information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.