CVE-2026-24288: Windows Mobile Broadband Driver Remote Code Execution Vulnerability
Overview
- Severity
- Medium (CVSS 6.8)
- CVSS Vector
- CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
- Category
- Remote Code Execution
- Exploit Status
- Not Exploited
- Exploitation Likelihood
- Less Likely
- Patch Tuesday
- 2026-Mar
- Released
- 2026-03-10
- EPSS Score
- 0.06% (percentile: 17.9%)
Description
Heap-based buffer overflow in Windows Mobile Broadband allows an unauthorized attacker to execute code with a physical attack.
FAQ
According to the CVSS metric, the attack vector is physical (AV:P). What does that mean for this vulnerability?
A physical attack vector means the attacker must have direct physical access to the device in order to exploit the vulnerability. In this case, the issue can only be triggered by physically connecting or manipulating hardware that interacts with the affected system. Remote or network‑based attacks are not possible for this vulnerability.
Affected Products (6)
Windows
- Windows 10 Version 21H2 for 32-bit Systems
- Windows 10 Version 21H2 for ARM64-based Systems
- Windows 10 Version 21H2 for x64-based Systems
ESU
- Windows 10 Version 22H2 for x64-based Systems
- Windows 10 Version 22H2 for ARM64-based Systems
- Windows 10 Version 22H2 for 32-bit Systems
Security Updates (1)
Acknowledgments
Nicolas Delhaye with <a href="https://cyber.airbus.com/">Airbus</a>
Revision History
- 2026-03-10: Information published.