CVE-2026-32202
Description
CVE-2026-32202 is a medium-severity spoofing vulnerability in Windows Shell actively exploited in the wild, affecting multiple Windows and Server versions.
CPE
| Product | Version Start | Version End (excl.) | Status |
|---|---|---|---|
| windows_10_1607 | * | 10.0.14393.9060 | vulnerable |
| windows_10_1607 | * | 10.0.14393.9060 | vulnerable |
| windows_10_1809 | * | 10.0.17763.8644 | vulnerable |
| windows_10_1809 | * | 10.0.17763.8644 | vulnerable |
| windows_10_21h2 | * | 10.0.19044.7184 | vulnerable |
| windows_10_21h2 | * | 10.0.19044.7184 | vulnerable |
| windows_10_21h2 | * | 10.0.19044.7184 | vulnerable |
| windows_10_22h2 | * | 10.0.19045.7184 | vulnerable |
| windows_10_22h2 | * | 10.0.19045.7184 | vulnerable |
| windows_10_22h2 | * | 10.0.19045.7184 | vulnerable |
| windows_11_23h2 | * | 10.0.22631.6936 | vulnerable |
| windows_11_23h2 | * | 10.0.22631.6936 | vulnerable |
| windows_11_24h2 | * | 10.0.26100.8246 | vulnerable |
| windows_11_24h2 | * | 10.0.26100.8246 | vulnerable |
| windows_11_25h2 | * | 10.0.26200.8246 | vulnerable |
| windows_11_25h2 | * | 10.0.26200.8246 | vulnerable |
| windows_11_26h1 | * | 10.0.28000.1836 | vulnerable |
| windows_11_26h1 | * | 10.0.28000.1836 | vulnerable |
| windows_server_2012 | - | - | vulnerable |
| windows_server_2012 | r2 | r2 | vulnerable |
| windows_server_2016 | * | 10.0.14393.9060 | vulnerable |
| windows_server_2019 | * | 10.0.17763.8644 | vulnerable |
| windows_server_2022 | * | 10.0.20348.5020 | vulnerable |
| windows_server_2022_23h2 | * | 10.0.25398.2274 | vulnerable |
| windows_server_2025 | * | 10.0.26100.32690 | vulnerable |
Related weakness (CWE)
Remediation plan
Apply official patches
Download and install the latest security updates from the Microsoft Security Update Guide. Microsoft has released specific KB articles for all supported versions of Windows and Windows Server to address this shell protection failure.
Update affected systems
Verify that systems are running versions higher than the vulnerable builds, such as Windows 10 22H2 (10.0.19045.7184), Windows 11 24H2 (10.0.26100.8246), or Windows Server 2025 (10.0.26100.32690).
Restrict access
Minimize the risk of network-based spoofing by implementing robust web and email filtering. Block untrusted file types and suspicious URLs that could be used to deliver the malicious payloads required to trigger the Windows Shell vulnerability.
Monitor for exploitation
Enable advanced auditing for Windows Shell processes and monitor for unusual process execution patterns. Use EDR tools to detect anomalous behavior originating from explorer.exe or shell32.dll that correlates with network-based user interaction.
Detection Guidance
Detecting CVE-2026-32202 requires monitoring for anomalous Windows Shell activity. Security teams should look for unauthorized process calls following user interaction with external links or files. Monitor Event Logs for protection mechanism failures (CWE-693) and use EDR signatures to identify spoofed shell elements. Network-level detection should focus on identifying traffic patterns associated with known spoofing techniques targeting Windows Shell components across the network.