{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21219", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-12-11T21:02:05.731Z", "datePublished": "2026-01-13T17:56:55.396Z", "dateUpdated": "2026-04-01T13:49:05.986Z"}, "containers": {"cna": {"title": "Inbox COM Objects (Global Memory) Remote Code Execution Vulnerability", "datePublic": "2026-01-13T16:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:.windows_sdk:*:*:*:*:*:*:*:*", "versionStartIncluding": "26100", "versionEndExcluding": "10.0.26100.7463"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Windows SDK", "versions": [{"version": "26100", "lessThan": "10.0.26100.7463", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-416: Use After Free", "lang": "en-US", "type": "CWE", "cweId": "CWE-416"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-01T13:49:05.986Z"}, "references": [{"name": "Inbox COM Objects (Global Memory) Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21219"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 7, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21219", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-14T04:56:07.290291Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:04:23.124Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21219", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-14T04:56:07.290291Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T20:18:44.892Z"}}], "cna": {"title": "Inbox COM Objects (Global Memory) Remote Code Execution Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Windows SDK", "versions": [{"status": "affected", "version": "26100", "lessThan": "10.0.26100.7463", "versionType": "custom"}]}], "datePublic": "2026-01-13T16:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21219", "name": "Inbox COM Objects (Global Memory) Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416: Use After Free"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:.windows_sdk:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "10.0.26100.7463", "versionStartIncluding": "26100"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-01T13:49:05.986Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21219", "state": "PUBLISHED", "dateUpdated": "2026-04-01T13:49:05.986Z", "dateReserved": "2025-12-11T21:02:05.731Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-01-13T17:56:55.396Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:windows_software_development_kit:*:*:*:*:*:*:*:*", "matchCriteriaId": "238CF4D4-B147-493E-861A-4912190B0281", "versionEndExcluding": "10.0.26100.7463", "versionStartIncluding": "10.0.26100", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally."}], "id": "CVE-2026-21219", "lastModified": "2026-02-09T20:37:59.127", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-01-13T18:16:24.580", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21219"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T08:10:39.560286+00:00", "value": {"mitigation_remediation": ["Download and install the latest Windows SDK update that addresses the use\u2011after\u2011free flaw.", "If an update cannot be applied immediately, uninstall or block the Windows SDK\u2019s Inbox COM components to prevent exploitation.", "Enforce the principle of least privilege by limiting which users and applications can load COM objects, reducing the risk of an attacker exploiting the flaw."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is the Microsoft Windows SDK, as identified by the CNA\u2019s product list. Specific version information is not supplied in the advisory, so administrators should verify whether their installed SDK includes the Inbox COM objects and determine if the vulnerability applies to their environment.", "description_and_impact": "This vulnerability is a use\u2011after\u2011free flaw in the Inbox COM objects provided with the Microsoft Windows Software Development Kit. The flaw permits an attacker to supply malicious input that frees an object and then re\u2011uses the freed memory, enabling the execution of arbitrary code on the local host. The vulnerability is classified as CWE\u2011416 (Use After Free). Although the advisory states the code is executed locally, the CVE title and typical behavior of COM components imply that remote exploitation may be possible if the attacker can trigger the vulnerable object from a remote service or application.", "risk_and_exploitability": "The CVSS score of 7 indicates moderate severity. The EPSS score is less than 1\u202f%, implying a very low probability that active exploitation is occurring in the wild. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires the attacker to obtain a privilege level that can instantiate the vulnerable COM object, typically through a local user account or a compromised application. This indicates a local or privilege\u2011escalation attack surface, while remote exploitation would require additional context on how Outlook or similar components interact with the SDK. Based on the description, it is inferred that the attacker must be able to run code in a context that can load or manipulate the problematic COM object."}}}}, "created": "2026-04-16T08:15:29.660199+00:00", "updated": "2026-04-16T08:15:29.660209+00:00", "vendors": []}