CVE-2026-24291

HIGH

Windows Accessibility Infrastructure - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2026-24291. PoCs published by uname1able, tracyliving606, lennertdefauw.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-24291, leveraging a Windows registry symlink vulnerability to manipulate registry keys. The exploit uses an oplock on a system file and registry manipulation to achieve privilege escalation.

Description

Incorrect permission assignment for critical resource in Windows Accessibility Infrastructure (ATBroker.exe) allows an authorized attacker to elevate privileges locally.

Exploits (4)

nomisec WORKING POC

by uname1able · poc

https://github.com/uname1able/CVE-2026-24291

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-24291, leveraging a Windows registry symlink vulnerability to manipulate registry keys. The exploit uses an oplock on a system file and registry manipulation to achieve privilege escalation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Windows 10 21H2 (19044.6937) amd64

Auth required

Prerequisites: Local access to the target system · Ability to execute code with sufficient privileges to manipulate registry keys

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Apr 09, 2026 Full analysis →

nomisec SUSPICIOUS

by tracyliving606 · poc

https://github.com/tracyliving606/RegPwn

View Code ZIP pw:eip

The repository claims to be a local privilege escalation exploit for CVE-2026-24291 but lacks actual exploit code in the provided files. The README directs users to download an executable from GitHub releases, which is a common tactic for distributing malware.

Classification

Suspicious 90%

Attack Type

Lpe

Complexity

Theoretical

Reliability

Theoretical

Target: Windows 10, Windows 11, Windows Server 2016/2019/2022

Auth required

Prerequisites: Administrator access · Windows 10/11 or Windows Server 2016/2019/2022

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Apr 09, 2026 Full analysis →

nomisec WORKING POC

by lennertdefauw · poc

https://github.com/lennertdefauw/CVE-2026-24291

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-24291, which leverages a registry manipulation vulnerability to achieve local privilege escalation (LPE) on Windows systems. The exploit includes a Go-based payload that creates a local administrator account and a C# tool (RegPwn) that manipulates registry keys to trigger the vulnerability.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows (specific version not specified)

Auth required

Prerequisites: Local access to a vulnerable Windows system · Ability to execute code with sufficient privileges to manipulate registry keys

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Mar 19, 2026 Full analysis →

nomisec WORKING POC

by n0isegat3 · poc

https://github.com/n0isegat3/RegPwnBRc4BOF

View Code ZIP pw:eip

This repository contains a functional Brute Ratel C4 BOF (Beacon Object File) exploit for CVE-2026-24291, which leverages a registry symlink race condition in Windows Accessibility ATConfig to escalate privileges. The exploit targets the `msiserver` service's `ImagePath` to achieve local privilege escalation on unpatched Windows systems.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Racy

Target: Windows 11 25H2/24H2, Windows 10 21H2, Windows Server 2016/2019/2022 (pre-March 2026 patch)

No auth needed

Prerequisites: Unpatched Windows system · Normal user context

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Mar 19, 2026 Full analysis →

References (3)

Core 3

Core References

Various Sources

https://github.com/mdsecactivebreach/RegPwn

View Writeup ZIP pw:eip

Various Sources

https://www.mdsec.co.uk/2026/03/rip-regpwn/

Vendor Advisory vendor-advisory patch

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24291

Scores

CVSS v3 7.8

EPSS 0.0324

EPSS Percentile 86.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-732

Status published

Products (37)

Microsoft/Windows 10 Version 1607 10.0.14393.0 - 10.0.14393.8957

Microsoft/Windows 10 Version 1809 10.0.17763.0 - 10.0.17763.8511

Microsoft/Windows 10 Version 21H2 10.0.19044.0 - 10.0.19044.7058

Microsoft/Windows 10 Version 22H2 10.0.19045.0 - 10.0.19045.7058

Microsoft/Windows 11 version 22H3 10.0.22631.0 - 10.0.22631.6783

Microsoft/Windows 11 Version 23H2 10.0.22631.0 - 10.0.22631.6783

Microsoft/Windows 11 Version 24H2 10.0.26100.0 - 10.0.26100.8037

Microsoft/Windows 11 Version 25H2 10.0.26200.0 - 10.0.26200.8037

Microsoft/Windows 11 version 26H1 10.0.28000.0 - 10.0.28000.1719

Microsoft/Windows 11 Version 26H1 10.0.28000.0 - 10.0.28000.1719

... and 27 more

Published Mar 10, 2026

Tracked Since Mar 11, 2026