{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21257", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-12-11T21:02:05.737Z", "datePublished": "2026-02-10T17:51:37.741Z", "dateUpdated": "2026-05-11T21:25:38.855Z"}, "containers": {"cna": {"title": "GitHub Copilot and Visual Studio Elevation of Privilege Vulnerability", "datePublic": "2026-02-10T16:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*", "versionStartIncluding": "17.14.0", "versionEndExcluding": "17.14.26"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:visual_studio_2026:*:*:*:*:*:*:*:*", "versionStartIncluding": "18.3.0", "versionEndExcluding": "18.3.0"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.14", "versions": [{"version": "17.14.0", "lessThan": "17.14.26", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2026 version 18.3", "versions": [{"version": "18.3.0", "lessThan": "18.3.0", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an authorized attacker to elevate privileges over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", "lang": "en-US", "type": "CWE", "cweId": "CWE-77"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-11T21:25:38.855Z"}, "references": [{"name": "GitHub Copilot and Visual Studio Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21257"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21257", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-11T04:56:11.224956Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:44:43.502Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21257", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-11T04:56:11.224956Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T15:43:02.734Z"}}], "cna": {"title": "GitHub Copilot and Visual Studio Elevation of Privilege Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Visual Studio 2022 version 17.14", "versions": [{"status": "affected", "version": "17.14.0", "lessThan": "17.14.26", "versionType": "custom"}]}, {"vendor": "Microsoft", "product": "Microsoft Visual Studio 2026 version 18.3", "versions": [{"status": "affected", "version": "18.3.0", "lessThan": "18.3.0", "versionType": "custom"}]}], "datePublic": "2026-02-10T16:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21257", "name": "GitHub Copilot and Visual Studio Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an authorized attacker to elevate privileges over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "17.14.26", "versionStartIncluding": "17.14.0"}, {"criteria": "cpe:2.3:a:microsoft:visual_studio_2026:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "18.3.0", "versionStartIncluding": "18.3.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-11T21:25:38.855Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21257", "state": "PUBLISHED", "dateUpdated": "2026-05-11T21:25:38.855Z", "dateReserved": "2025-12-11T21:02:05.737Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-02-10T17:51:37.741Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:-:*:*", "matchCriteriaId": "D5D30CC7-E672-4D7F-B1BA-2D56DC36109C", "versionEndExcluding": "17.14.26", "versionStartIncluding": "17.14.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an authorized attacker to elevate privileges over a network."}], "id": "CVE-2026-21257", "lastModified": "2026-02-11T19:47:12.797", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-02-10T18:16:27.483", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21257"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[17.14.0,17.14.26)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[18.3.0,18.3.0)"}}], "product": "visual_studio_2022", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-04-15T16:24:50.929347+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011supplied update that mitigates command injection in Visual Studio 2022 17.14 and Visual Studio 2026 18.3.", "If a patch is not yet available, temporarily disable the GitHub Copilot extension in Visual Studio to eliminate the code path that can be exploited.", "Review and enforce least\u2011privilege permissions for developers, restrict network\u2011level privilege escalation capabilities, and monitor for anomalous command execution."], "summary": {"action": "Patch Now", "impact": "Elevation of Privilege"}, "threat_synthesis": {"affected_systems": "Microsoft Visual Studio 2022 version 17.14 and Microsoft Visual Studio 2026 version 18.3 are affected by the vulnerability. The issue arises in the environment that processes GitHub Copilot requests in these versions.", "description_and_impact": "An attacker who already has legitimate access can exploit a command injection flaw in the integration between GitHub Copilot and Visual Studio. The flaw is caused by improper neutralization of special command elements, allowing the attacker to execute arbitrary commands with elevated privileges across a network. This can lead to unauthorized system access, data exposure, or further lateral movement within the organization.", "risk_and_exploitability": "The vulnerability has a CVSS score of 8, indicating a high severity. The EPSS indicates less than 1% probability of exploitation at this time, and it is not listed in the CISA KEV catalog. The attack requires an authorized user within the development environment and likely demands authentication and the ability to invoke Copilot. Defense measures should consider the elevated privilege vector and the potential for command execution across the network."}}}}, "created": "2026-02-10T21:33:42.926854+00:00", "updated": "2026-04-15T17:45:10.798785+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$visual_studio_2022"]}