CVE-2026-21522: Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability

Overview

Severity

Medium (CVSS 6.7)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2026-Feb

Released

2026-02-10

EPSS Score

0.04% (percentile: 13.5%)

Description

Improper neutralization of special elements used in a command ('command injection') in Azure Compute Gallery allows an authorized attacker to elevate privileges locally.

FAQ

What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who exploited this vulnerability could execute arbitrary commands within the affected ACI container’s context, allowing them to run code with the same privileges as the compromised container. In confidential‑container scenarios, this could also let an attacker access sensitive secrets or data protected by the attested environment.

Affected Products (1)

Azure

• Microsoft ACI Confidential Containers

Security Updates (1)

• Release Notes

Acknowledgments

<a href="https://x.com/yuvalavra">Yuval Avrahami</a>

Revision History

• 2026-02-10: Information published.