What is CVE-2026-25166?

CVE-2026-25166 is a high-severity vulnerability in Microsoft Windows Adk For 10, Version 2004, classified under Deserialization of Untrusted Data. CVSS score: 7.8/10. Published 2026-03-10.

How severe is CVE-2026-25166?

High severity. CVSS v3 base score is 7.8 out of 10.

Deserialization in Microsoft Windows Adk For 10, Version 2004

CVE-2026-25166

Deserialization of untrusted data in Windows System Image Manager allows an authorized attacker to execute code locally.

Vulnerability class: Insecure Deserialization

EPSS: 0.011 (77.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.8 (High). Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C.

Affected products

Microsoft Windows Adk For 10, Version 2004
Microsoft Windows Adk For 11, Version 22h2
Microsoft Windows Adk For 11, Version 23h2
Microsoft Windows Adk For 11, Version 24h2
Microsoft Windows Adk For Server 2022

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

References

Windows System Image Manager Assessment and Deployment Kit (ADK) Remote Code Execution Vulnerability (vendor-advisory, patch)

Frequently asked questions

What is CVE-2026-25166?: CVE-2026-25166 is a high-severity vulnerability in Microsoft Windows Adk For 10, Version 2004, classified under Deserialization of Untrusted Data. CVSS score: 7.8/10. Published 2026-03-10.
How severe is CVE-2026-25166?: High severity. CVSS v3 base score is 7.8 out of 10.