CVE-2026-27928
Published: 14 April 2026
Description
Improper input validation in Windows Hello allows an unauthorized attacker to bypass a security feature over a network.
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of all information inputs to the Windows Hello biometric authentication system, comprehensively addressing the improper input validation (CWE-20) vulnerability exploited over the network.
Mandates unique identification and authentication for organizational users via robust mechanisms like Windows Hello, preventing unauthorized bypass of biometric security features.
Requires timely identification, reporting, and remediation of flaws such as CVE-2026-27928 through patching, directly countering the vulnerability per MSRC guidance.
Security SummaryAI
CVE-2026-27928 is an improper input validation vulnerability (CWE-20) affecting Windows Hello, a biometric authentication feature in Microsoft Windows. Published on 2026-04-14T18:17:04.170, it carries a CVSS v3.1 base score of 8.7 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N), indicating high severity due to its network accessibility and potential for significant confidentiality and integrity impacts.
An unauthorized attacker with network access can exploit this vulnerability despite high attack complexity, requiring no privileges or user interaction. Exploitation enables bypassing a security feature in Windows Hello, resulting in high confidentiality and integrity violations within a changed scope.
The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27928 provides details on mitigation and patching guidance.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows bypassing Windows Hello, a biometric authentication security feature, via improper input validation, directly mapping to exploitation of software vulnerabilities for defense evasion.