HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-33828Published Modified CNA microsoft

CVE-2026-33828: Windows Device Health Attestation (DHA) Elevation of Privilege Vulnerability

Trust boundary violation in Windows Attestation allows an authorized attacker to elevate privileges locally.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
10.0.14393.9234
Affected Products
16

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A trust boundary violation (elevation of privilege) affects the Windows Device Health Attestation service across multiple versions of Windows 10 and Windows 11. The vulnerability is exploited locally by an attacker who already holds a low-privilege account on the target system, with no network exposure or victim interaction required. Successful exploitation gives the attacker full control over the host, including the ability to read, modify, and delete data or crash services. Patched-image rebuilds at the fixed Windows versions are available on HarborGuard for environments running an affected image.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer container images, including custom-built Windows-based images, in both registry scans and pipeline checks.

Available
Triage

HarborGuard scores this vulnerability at CVSS 7.8 HIGH and is capable of weighting that score against each environment's compliance policy to surface the finding in the appropriate team inbox for prompt review.

Available
Patch

A patched-image rebuild targeting the applicable fixed versions (10.0.14393.9234, 10.0.17763.8880, 10.0.19044.7417, 10.0.19045.7417, 10.0.20348.5256, and later) is available on HarborGuard for any environment running an affected base image. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the service is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; the attacker does not need administrative credentials.

  • Victim interactionNot required

    No user interaction of any kind is needed; the attacker executes the exploit entirely on their own.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special race conditions or environmental setup.

Blast Radius

  • Reads sensitive data accessible to the Windows Attestation service, including credentials, keys, and health-state records stored on the host.
  • Modifies system files, configuration, and persisted data at an elevated privilege level.
  • Deletes or corrupts files and audit logs that the compromised process can reach.
  • Crashes or disables host services by exercising elevated control over process and resource management.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against customer images within minutes of publication, covering both registry-resident and pipeline-built Windows base images. Where a customer image is pinned to an affected Windows 10 or Windows 11 build, a rebuilt image at the appropriate patched version is made available automatically. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, executes a regression test run, and opens a pull request against affected workloads; for high-severity issues the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation active. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with the CVSS 7.8 score and affected version range attached for rapid review.

See how HarborGuard automates this

Fix available

10.0.14393.923410.0.17763.888010.0.19044.741710.0.19045.741710.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Windows 10 Version 1607
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows 10 Version 1809
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows 10 Version 21H2
    < 10.0.19044.7417 (from 10.0.19044.0)
  • Microsoft / Windows 10 Version 22H2
    < 10.0.19045.7417 (from 10.0.19045.0)
  • Microsoft / Windows 11 version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows Server 2016
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows Server 2016 (Server Core installation)
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows Server 2019
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2019 (Server Core installation)
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References