CVE-2026-24291

Name of the Vulnerable Software and Affected Versions Windows versions prior to March 10, 2026 Patch Tuesday

Description An improper permission assignment within the Windows Accessibility Infrastructure (ATBroker.exe) allows an authorized attacker to elevate privileges locally. The issue stems from insecure registry permissions, enabling a local user to overwrite values and execute arbitrary code with SYSTEM privileges. This flaw, dubbed "RegPwn" (CVE-2026-24291), targets accessibility features like the On-Screen Keyboard and Narrator. The vulnerability was exploited in Red Team engagements since January 2025. Exploitation involves manipulating a writable registry key associated with accessibility features, swapping it with a symbolic link pointing to a restricted system registry location. This allows the attacker to write arbitrary values to protected areas, ultimately gaining SYSTEM-level access. The vulnerability affects Windows 10, Windows 11, and Windows Server 2016/2019/2022.

Recommendations Apply the March 10, 2026 Patch Tuesday update to address this vulnerability.