CVE-2026-27910: Privilege Escalation in Windows Installer
Platform
windows
Component
windows-installer
Fixed in
10.0.28000.1836
CVE-2026-27910 describes a privilege escalation vulnerability within the Windows Installer component. This flaw allows an authenticated attacker to elevate their privileges locally, potentially gaining control over the system. The vulnerability impacts Windows versions 10.0.14393.0 through 10.0.28000.1836. Microsoft has released a patch in version 10.0.28000.1836 to address this issue.
Impact and Attack Scenarios
Successful exploitation of CVE-2026-27910 could allow an attacker with existing local access to significantly escalate their privileges. This means an attacker who has already compromised a user account could gain SYSTEM-level access, effectively taking complete control of the affected machine. The attacker could then install malware, steal sensitive data, modify system configurations, or create new user accounts with elevated privileges. The blast radius extends to any data or resources accessible by the SYSTEM account, which is typically everything on the machine. While no specific real-world exploits have been publicly linked to this vulnerability yet, privilege escalation flaws are frequently targeted by attackers seeking to expand their foothold within a network.
Exploitation Context
CVE-2026-27910 was published on April 14, 2026. Its severity is rated HIGH (CVSS 7.8). As of this writing, the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog or EPSS, indicating a low to medium probability of active exploitation. No public proof-of-concept (POC) code has been released, but the nature of privilege escalation vulnerabilities makes it a likely target for exploitation in the future.
Threat Intelligence
Exploit Status
EPSS
0.04% (14% percentile)
CVSS Vector
What do these metrics mean?
- Attack Vector
- Local — attacker needs a local shell or interactive session on the system.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- Low — any valid user account is sufficient. Basic authenticated access required.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-27910 is to upgrade to Windows version 10.0.28000.1836 or later, which includes the security patch. If immediate patching is not feasible, consider restricting access to the Windows Installer service to only authorized users and processes. Implement least privilege principles across the system to limit the potential impact of a successful exploit. Monitor system logs for unusual activity related to the Windows Installer service, such as unexpected process creations or file modifications. While a WAF or proxy cannot directly mitigate this vulnerability, network segmentation can limit lateral movement if a system is compromised.
How to fix
Aplica las actualizaciones de seguridad proporcionadas por Microsoft para Windows 10. Estas actualizaciones corrigen la forma en que Windows Installer maneja los permisos, previniendo la elevación de privilegios. Consulta el boletín de seguridad de Microsoft para obtener instrucciones detalladas sobre cómo instalar las actualizaciones.
Frequently asked questions
What is CVE-2026-27910 — Privilege Escalation in Windows Installer?
CVE-2026-27910 is a security vulnerability in the Windows Installer component that allows an authenticated attacker to gain elevated local privileges on affected systems. It is rated HIGH severity due to its potential impact.
Am I affected by CVE-2026-27910 in Windows Installer?
You are potentially affected if you are running Windows 10 versions 10.0.14393.0 through 10.0.28000.1836 and have not yet applied the security update.
How do I fix CVE-2026-27910 in Windows Installer?
The recommended fix is to upgrade to Windows version 10.0.28000.1836 or later, which includes the security patch. Ensure your systems are regularly patched to prevent future vulnerabilities.
Is CVE-2026-27910 being actively exploited?
Currently, there are no publicly known active campaigns exploiting CVE-2026-27910, but the nature of privilege escalation vulnerabilities makes it a potential target for future attacks.
Where can I find the official Microsoft advisory for CVE-2026-27910?
Please refer to the Microsoft Security Update Guide for the latest information and advisory related to CVE-2026-27910: [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27910](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27910)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...