CVE-2026-21224: Azure Connected Machine Agent Elevation of Privilege Vulnerability

Overview

Severity

High (CVSS 7.8)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2026-Jan

Released

2026-01-13

EPSS Score

0.07% (percentile: 20.4%)

Description

Stack-based buffer overflow in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally.

FAQ

What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. According to the CVSS metric, the attack vector is local (AV:L). What does that mean for this vulnerability? An attacker could trigger this vulnerability remotely by having valid permissions on the Azure Resource Manager (ARM) API to access the Azure Relay. In the worst case scenario, an attacker could locally trigger this vulnerability by running code as a lower-privileged user on the same computer that Azure Arc is running on (AV:L). When multiple attack vectors can be used, we assign a score based on the scenario with the higher risk.

Affected Products (1)

Azure

• Azure Connected Machine Agent

Security Updates (2)

• Release Notes
• Release Notes

Acknowledgments

<a href="https://www.linkedin.com/in/amir-gombo-39771b25a/">Amir Gombo</a> with Microsoft, Yonatan Migdal with Microsoft

Revision History

• 2026-01-13: Information published.