CVE-2025-21298 Microsoft — Exploit & Vulnerability Details CRITICAL

Parameter	Value
CVSS	9.8 (CRITICAL)
Affected Versions	before 10.0.26100.2894
Fixed In	10.0.10240.20890
Type	CWE-416 (Use After Free)
Vendor	Microsoft
Public PoC	Yes

Windows OLE Remote Code Execution Vulnerability

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Privileges Required

None

No privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

High

Complete data leak

Integrity

High

Complete data modification

Availability

High

Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-416 Use After Free

Vulnerable Products 20

Configuration	From (including)	Up to (excluding)
Microsoft Windows_10_1507 cpe:2.3:o:microsoft:windows_10_1507:::::::x64:*	—	`10.0.10240.20890`
Microsoft Windows_10_1507 cpe:2.3:o:microsoft:windows_10_1507:::::::x86:*	—	`10.0.10240.20890`
Microsoft Windows_10_1607 cpe:2.3:o:microsoft:windows_10_1607:::::::x64:*	—	`10.0.14393.7699`
Microsoft Windows_10_1607 cpe:2.3:o:microsoft:windows_10_1607:::::::x86:*	—	`10.0.14393.7699`
Microsoft Windows_10_1809 cpe:2.3:o:microsoft:windows_10_1809:::::::x64:*	—	`10.0.17763.6775`
Microsoft Windows_10_1809 cpe:2.3:o:microsoft:windows_10_1809:::::::x86:*	—	`10.0.17763.6775`
Microsoft Windows_10_21h2 cpe:2.3:o:microsoft:windows_10_21h2::::::::	—	`10.0.19044.5371`
Microsoft Windows_10_22h2 cpe:2.3:o:microsoft:windows_10_22h2::::::::	—	`10.0.19045.5371`
Microsoft Windows_11_22h2 cpe:2.3:o:microsoft:windows_11_22h2::::::::	—	`10.0.22621.4751`
Microsoft Windows_11_23h2 cpe:2.3:o:microsoft:windows_11_23h2::::::::	—	`10.0.22631.4751`
Microsoft Windows_11_24h2 cpe:2.3:o:microsoft:windows_11_24h2::::::::	—	`10.0.26100.2894`
Microsoft Windows_Server_2008 cpe:2.3:o:microsoft:windows_server_2008:-:sp2::::::	—	—
Microsoft Windows_Server_2008 cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:::::x64:*	—	—
Microsoft Windows_Server_2012 cpe:2.3:o:microsoft:windows_server_2012:-:::::::*	—	—
Microsoft Windows_Server_2012 cpe:2.3:o:microsoft:windows_server_2012:r2:::::::*	—	—
Microsoft Windows_Server_2016 cpe:2.3:o:microsoft:windows_server_2016::::::::	—	`10.0.14393.7699`
Microsoft Windows_Server_2019 cpe:2.3:o:microsoft:windows_server_2019::::::::	—	`10.0.17763.6775`
Microsoft Windows_Server_2022 cpe:2.3:o:microsoft:windows_server_2022::::::::	—	`10.0.20348.3091`
Microsoft Windows_Server_2022_23h2 cpe:2.3:o:microsoft:windows_server_2022_23h2::::::::	—	`10.0.25398.1369`
Microsoft Windows_Server_2025 cpe:2.3:o:microsoft:windows_server_2025:::::::x64:*	—	`10.0.26100.2894`

References 1

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21298

secure@microsoft.com

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-5287

Microsoft

8.8

CVE-2026-5285

Microsoft

8.8

CVE-2026-5281

Microsoft

8.8

CVE-2026-5280

Microsoft

8.8

CVE-2026-5279

Microsoft

8.8

Menu

CVE-2025-21298

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

Vulnerable Products 20

References 1

Related Vulnerabilities

CVE-2026-5287

CVE-2026-5285

CVE-2026-5281

CVE-2026-5280

CVE-2026-5279

CVE Details

Editor's Choice

Menu

CVE-2025-21298

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

Vulnerable Products 20

References 1

Related Vulnerabilities

CVE-2026-5287

CVE-2026-5285

CVE-2026-5281

CVE-2026-5280

CVE-2026-5279

CVE Details

Editor's Choice

Stay informed on cybersecurity