CVE-2026-21249 is a vulnerability classified under CWE-73 (External Control of File Name or Path) affecting Microsoft Windows 10 Version 1607 (build 10.0.14393.0). The issue arises from improper handling of file names or paths within the NTLM authentication mechanism, which can be externally influenced by an attacker with local access. This flaw enables an attacker to perform spoofing attacks locally by manipulating file paths or names that the system uses during authentication or related processes. The vulnerability does not require privileges or elevated permissions but does require user interaction, such as triggering a process that uses NTLM authentication with manipulated paths. The CVSS v3.1 score is 3.3, reflecting low severity due to limited impact on confidentiality, no impact on integrity or availability, and the requirement for local access and user interaction. No known exploits have been reported in the wild, and no patches have been published yet. The vulnerability is particularly relevant for legacy systems still running Windows 10 Version 1607, which is an older release with extended support that some organizations may still use. The flaw could be leveraged to mislead authentication processes or cause confusion in file handling, potentially facilitating further local attacks or privilege escalation chains if combined with other vulnerabilities.

The primary impact of CVE-2026-21249 is limited to local spoofing attacks that could undermine the confidentiality of authentication processes by manipulating file paths or names used in NTLM authentication. While the vulnerability does not directly compromise system integrity or availability, it could enable attackers to impersonate legitimate processes or users locally, potentially facilitating additional attacks or unauthorized access escalation. Organizations relying on Windows 10 Version 1607 in environments where local user access is not tightly controlled are at higher risk. The limited scope and requirement for user interaction reduce the overall risk, but legacy systems in critical infrastructure or sensitive environments could face targeted exploitation attempts. Since no known exploits are currently in the wild, the immediate threat is low, but the vulnerability highlights the importance of maintaining updated systems and monitoring local user activities to prevent exploitation.

1. Restrict local user permissions to the minimum necessary to reduce the risk of local exploitation. 2. Monitor and audit local file system activities and NTLM authentication events for unusual or suspicious file path manipulations. 3. Disable or limit the use of NTLM authentication where possible, migrating to more secure authentication protocols such as Kerberos. 4. Apply security best practices for legacy systems, including network segmentation and limiting local access to trusted users only. 5. Stay alert for official patches or updates from Microsoft addressing this vulnerability and apply them promptly once available. 6. Educate users about the risks of interacting with untrusted local processes or files that could trigger the vulnerability. 7. Consider upgrading from Windows 10 Version 1607 to a more recent, supported version of Windows to eliminate exposure to this and other legacy vulnerabilities.