CVE-2026-21508

Name of the Vulnerable Software and Affected Versions Windows (affected versions not specified)

Description An improper authentication issue in Windows Storage can allow an attacker to elevate privileges locally. The issue involves forcing a system process utilizing the undocumented function Windows Storage! SHCoCreateInstance to create an arbitrary COM object. This is achieved by manipulating the first argument of a CoCreateInstance call. The vulnerability requires the COM object to be associated with a registered COM class supporting CLSCTX INPROC SERVER.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.