{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21517", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-12-30T18:10:54.845Z", "datePublished": "2026-02-10T17:51:15.940Z", "dateUpdated": "2026-05-11T21:25:14.766Z"}, "containers": {"cna": {"title": "Windows App for Mac Installer Elevation of Privilege Vulnerability", "datePublic": "2026-02-10T16:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:windows_app_for_mac:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.0.0", "versionEndExcluding": "11.3.2"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Windows App for Mac", "versions": [{"version": "11.0.0", "lessThan": "11.3.2", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Improper link resolution before file access ('link following') in Windows App for Mac allows an authorized attacker to elevate privileges locally.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')", "lang": "en-US", "type": "CWE", "cweId": "CWE-59"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-11T21:25:14.766Z"}, "references": [{"name": "Windows App for Mac Installer Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21517"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21517", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-11T04:56:05.305226Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:04:06.330Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21517", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-11T04:56:05.305226Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T15:43:45.440Z"}}], "cna": {"title": "Windows App for Mac Installer Elevation of Privilege Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Windows App for Mac", "versions": [{"status": "affected", "version": "11.0.0", "lessThan": "11.3.2", "versionType": "custom"}]}], "datePublic": "2026-02-10T16:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21517", "name": "Windows App for Mac Installer Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Improper link resolution before file access ('link following') in Windows App for Mac allows an authorized attacker to elevate privileges locally."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-59", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:windows_app_for_mac:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "11.3.2", "versionStartIncluding": "11.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-11T18:09:53.764Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21517", "state": "PUBLISHED", "dateUpdated": "2026-05-11T18:09:53.764Z", "dateReserved": "2025-12-30T18:10:54.845Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-02-10T17:51:15.940Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:windows_app:*:*:*:*:*:macos:*:*", "matchCriteriaId": "8C81186C-577F-4B6F-B6DD-FEECB522A946", "versionEndExcluding": "11.3.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper link resolution before file access ('link following') in Windows App for Mac allows an authorized attacker to elevate privileges locally."}, {"lang": "es", "value": "Resoluci\u00f3n de enlaces incorrecta antes del acceso a archivos (seguimiento de enlaces) en la aplicaci\u00f3n de Windows para Mac permite a un atacante autorizado elevar privilegios localmente."}], "id": "CVE-2026-21517", "lastModified": "2026-02-25T14:20:17.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "secure@microsoft.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-10T18:16:34.110", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21517"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "secure@microsoft.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.0.0,11.3.2)"}}], "product": "windows_app_for_mac", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-04-15T18:40:07.700030+00:00", "value": {"mitigation_remediation": ["Check Microsoft\u2019s update center or the Windows App for Mac website for the latest patch or release that addresses the improper link resolution flaw.", "If a vendor update is not immediately available, restrict local user accounts that have write access to the app\u2019s installation directory or use OS-level file permissions to limit potential path traversal.", "Consider disabling or removing the Windows App for Mac until a patched version is deployed to eliminate the elevation vector."], "summary": {"action": "Apply patch", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts Microsoft Windows App for Mac running on macOS. No specific affected versions are listed, so all installations of the product may be at risk until a vendor change is issued.", "description_and_impact": "An improper link resolution step in Windows App for Mac, also known as link following, enables an attacker who already has local access to the system to elevate their privileges. The flaw falls under CWE-59, where a pathname is not properly restricted before being dereferenced. The resulting privilege escalation can allow the attacker to gain higher rights on the host, potentially affecting the confidentiality, integrity, and availability of local data and services.", "risk_and_exploitability": "The CVSS score of 4.7 denotes moderate severity, and the EPSS value of less than 1% indicates a very low probability of exploitation under current conditions. The flaw is not catalogued in CISA\u2019s KEV list. Based on the description, the attack requires the attacker to already have authorized local access; no remote or network-based entry vector is disclosed. The lack of a known workaround or public exploit suggests that risk is largely mitigated by ensuring that the app is updated to a version where the link resolution is correctly handled."}}}}, "created": "2026-02-11T21:52:18.126122+00:00", "updated": "2026-04-15T18:45:11.447962+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$windows_app_for_mac"]}