CVE-2026-27906
Received Received - Intake
Improper Input Validation in Windows Hello Enables Local Bypass

Publication date: 2026-04-14

Last updated on: 2026-04-23

Assigner: Microsoft Corporation

Description
Improper input validation in Windows Hello allows an authorized attacker to bypass a security feature locally.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27906
EUVD
EUVD-2026-22444
Affected Vendors & Products
Showing 14 associated CPEs
Vendor Product Version / Range
microsoft windows_10_21h2 to 10.0.19044.7184 (exc)
microsoft windows_10_21h2 to 10.0.19044.7184 (exc)
microsoft windows_10_21h2 to 10.0.19044.7184 (exc)
microsoft windows_10_22h2 to 10.0.19045.7184 (exc)
microsoft windows_10_22h2 to 10.0.19045.7184 (exc)
microsoft windows_10_22h2 to 10.0.19045.7184 (exc)
microsoft windows_11_23h2 to 10.0.22631.6936 (exc)
microsoft windows_11_23h2 to 10.0.22631.6936 (exc)
microsoft windows_11_24h2 to 10.0.26100.8246 (exc)
microsoft windows_11_24h2 to 10.0.26100.8246 (exc)
microsoft windows_11_25h2 to 10.0.26200.8246 (exc)
microsoft windows_11_25h2 to 10.0.26200.8246 (exc)
microsoft windows_11_26h1 to 10.0.28000.1836 (exc)
microsoft windows_11_26h1 to 10.0.28000.1836 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

This vulnerability involves improper input validation in Windows Hello that allows an authorized attacker to bypass a security feature locally.

To mitigate this vulnerability, it is recommended to apply the security updates provided by Microsoft as soon as they become available.

Since the issue requires local access and an authorized user, limiting local access to trusted users and ensuring systems are updated can reduce risk.

Executive Summary

This vulnerability involves improper input validation in Windows Hello, a Microsoft authentication feature.

It allows an authorized attacker to locally bypass a security feature, meaning that someone with some level of access can circumvent protections that are supposed to be enforced by Windows Hello.

Impact Analysis

The impact of this vulnerability is a security feature bypass, which can allow an authorized attacker to circumvent security controls locally.

According to the CVSS score, the confidentiality impact is high, meaning sensitive information could be exposed, but integrity and availability are not affected.

Compliance Impact

The vulnerability in Windows Hello allows an authorized attacker to bypass a security feature locally due to improper input validation.

However, there is no specific information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27906. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart