Vulnerability-Lookup

CVE-2026-32184 (GCVE-0-2026-32184)

Vulnerability from cvelistv5 – Published: 2026-04-14 16:57 – Updated: 2026-04-15 03:56

Title

Microsoft High Performance Compute (HPC) Pack Elevation of Privilege Vulnerability

Summary

Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an authorized attacker to elevate privileges locally.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

microsoft

References

URL

	Vendor	Product	Version
	Microsoft	Microsoft HPC Pack 2019	Affected: 1.0.0 , < 6.3.8355 (custom)

NCSC-2026-0117

Vulnerability from csaf_ncscnl - Published: 2026-04-14 19:23 - Updated: 2026-04-14 19:23

Summary

Kwetsbaarheden verholpen in Microsoft Azure

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten: Microsoft heeft kwetsbaarheden verholpen in diverse Azure componenten.

Interpretaties: Een kwaadwillende kan deze kwetsbaarheden misbruiken doordat meerdere Azure- en Microsoft-componenten invoer onvoldoende valideren of niet-vertrouwde data onveilig verwerken, waardoor een geautoriseerde aanvaller lokaal of via het netwerk zijn rechten kan verhogen. ``` Microsoft High Performance Compute Pack (HPC): |----------------|------|-------------------------------------| | CVE-ID | CVSS | Impact | |----------------|------|-------------------------------------| | CVE-2026-32184 | 7,80 | Verkrijgen van verhoogde rechten | |----------------|------|-------------------------------------| Azure Monitor Agent: |----------------|------|-------------------------------------| | CVE-ID | CVSS | Impact | |----------------|------|-------------------------------------| | CVE-2026-32168 | 7,80 | Verkrijgen van verhoogde rechten | | CVE-2026-32192 | 7,80 | Verkrijgen van verhoogde rechten | |----------------|------|-------------------------------------| Azure Logic Apps: |----------------|------|-------------------------------------| | CVE-ID | CVSS | Impact | |----------------|------|-------------------------------------| | CVE-2026-32171 | 8,80 | Verkrijgen van verhoogde rechten | |----------------|------|-------------------------------------| ```

Oplossingen: Microsoft heeft updates beschikbaar gesteld waarmee de beschreven kwetsbaarheden worden verholpen. We raden u aan om deze updates te installeren. Meer informatie over de kwetsbaarheden, de installatie van de updates en eventuele work-arounds vindt u op: https://portal.msrc.microsoft.com/en-us/security-guidance

Kans: medium

Schade: high

CWE-502: Deserialization of Untrusted Data

CWE-522: Insufficiently Protected Credentials

CWE-20: Improper Input Validation

CVE-2026-32168

An improper input validation vulnerability in the Azure Monitor Agent enables an authorized attacker to perform local privilege escalation.

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CVE-2026-32171

Insufficiently protected credentials in Azure Logic Apps allow an authorized attacker to elevate privileges over a network, posing a significant security risk.

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE-522 - Insufficiently Protected Credentials

CVE-2026-32184

A deserialization vulnerability in Microsoft High Performance Compute Pack (HPC) enables an authorized local attacker to elevate privileges by processing untrusted data.

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE-502 - Deserialization of Untrusted Data

CVE-2026-32192

A deserialization vulnerability in Azure Monitor Agent allows an authorized attacker to locally elevate privileges by processing untrusted data.

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE-502 - Deserialization of Untrusted Data

References

URL

Category

	https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-…	self
	https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-…	self
	https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-…	self
	https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Microsoft heeft kwetsbaarheden verholpen in diverse Azure componenten.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "Een kwaadwillende kan deze kwetsbaarheden misbruiken doordat meerdere Azure- en Microsoft-componenten invoer onvoldoende valideren of niet-vertrouwde data onveilig verwerken, waardoor een geautoriseerde aanvaller lokaal of via het netwerk zijn rechten kan verhogen.\n\n```\nMicrosoft High Performance Compute Pack (HPC): \n|----------------|------|-------------------------------------|\n| CVE-ID         | CVSS | Impact                              |\n|----------------|------|-------------------------------------|\n| CVE-2026-32184 | 7,80 | Verkrijgen van verhoogde rechten    | \n|----------------|------|-------------------------------------|\n\nAzure Monitor Agent: \n|----------------|------|-------------------------------------|\n| CVE-ID         | CVSS | Impact                              |\n|----------------|------|-------------------------------------|\n| CVE-2026-32168 | 7,80 | Verkrijgen van verhoogde rechten    | \n| CVE-2026-32192 | 7,80 | Verkrijgen van verhoogde rechten    | \n|----------------|------|-------------------------------------|\n\nAzure Logic Apps: \n|----------------|------|-------------------------------------|\n| CVE-ID         | CVSS | Impact                              |\n|----------------|------|-------------------------------------|\n| CVE-2026-32171 | 8,80 | Verkrijgen van verhoogde rechten    | \n|----------------|------|-------------------------------------|\n\n```",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Microsoft heeft updates beschikbaar gesteld waarmee de beschreven kwetsbaarheden worden verholpen. We raden u aan om deze updates te installeren. Meer informatie over de kwetsbaarheden, de installatie van de updates en eventuele work-arounds vindt u op:\n\nhttps://portal.msrc.microsoft.com/en-us/security-guidance",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Deserialization of Untrusted Data",
        "title": "CWE-502"
      },
      {
        "category": "general",
        "text": "Insufficiently Protected Credentials",
        "title": "CWE-522"
      },
      {
        "category": "general",
        "text": "Improper Input Validation",
        "title": "CWE-20"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "title": "Kwetsbaarheden verholpen in Microsoft Azure",
    "tracking": {
      "current_release_date": "2026-04-14T19:23:30.733725Z",
      "generator": {
        "date": "2025-08-04T16:30:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.3"
        }
      },
      "id": "NCSC-2026-0117",
      "initial_release_date": "2026-04-14T19:23:30.733725Z",
      "revision_history": [
        {
          "date": "2026-04-14T19:23:30.733725Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-1"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Logic Apps"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-2"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Monitor"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-3"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Monitor Agent"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-4"
                }
              }
            ],
            "category": "product_name",
            "name": "Microsoft HPC Pack 2019"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-32168",
      "notes": [
        {
          "category": "description",
          "text": "An improper input validation vulnerability in the Azure Monitor Agent enables an authorized attacker to perform local privilege escalation.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-32168 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-32168.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4"
          ]
        }
      ],
      "title": "CVE-2026-32168"
    },
    {
      "cve": "CVE-2026-32171",
      "cwe": {
        "id": "CWE-522",
        "name": "Insufficiently Protected Credentials"
      },
      "notes": [
        {
          "category": "other",
          "text": "Insufficiently Protected Credentials",
          "title": "CWE-522"
        },
        {
          "category": "description",
          "text": "Insufficiently protected credentials in Azure Logic Apps allow an authorized attacker to elevate privileges over a network, posing a significant security risk.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-32171 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-32171.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4"
          ]
        }
      ],
      "title": "CVE-2026-32171"
    },
    {
      "cve": "CVE-2026-32184",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "notes": [
        {
          "category": "other",
          "text": "Deserialization of Untrusted Data",
          "title": "CWE-502"
        },
        {
          "category": "description",
          "text": "A deserialization vulnerability in Microsoft High Performance Compute Pack (HPC) enables an authorized local attacker to elevate privileges by processing untrusted data.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-32184 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-32184.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4"
          ]
        }
      ],
      "title": "CVE-2026-32184"
    },
    {
      "cve": "CVE-2026-32192",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "notes": [
        {
          "category": "other",
          "text": "Deserialization of Untrusted Data",
          "title": "CWE-502"
        },
        {
          "category": "description",
          "text": "A deserialization vulnerability in Azure Monitor Agent allows an authorized attacker to locally elevate privileges by processing untrusted data.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-32192 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-32192.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4"
          ]
        }
      ],
      "title": "CVE-2026-32192"
    }
  ]
}

GHSA-C6VR-GRF8-R7QJ

Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-04-14 18:30

Details

Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an authorized attacker to elevate privileges locally.

Severity ?

7.8 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-32184"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-14T18:17:21Z",
    "severity": "HIGH"
  },
  "details": "Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-c6vr-grf8-r7qj",
  "modified": "2026-04-14T18:30:41Z",
  "published": "2026-04-14T18:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32184"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32184"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

MSRC_CVE-2026-32184

Vulnerability from csaf_microsoft - Published: 2026-04-14 07:00 - Updated: 2026-04-14 07:00

Summary

Microsoft High Performance Compute (HPC) Pack Elevation of Privilege Vulnerability

Severity

Important

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Customer Action: Required. The vulnerability documented by this CVE requires customer action to resolve.

CVE-2026-32184

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CWE-502 - Deserialization of Untrusted Data

Vendor Fix 6.3.8355:Security Update:https://github.com/Azure/hpcpack/blob/master/CHANGELOG.md#hpc-pack-2019-update-3-qfe-kb5081004-638355---2212026 https://github.com/Azure/hpcpack/blob/master/CHAN…

References

URL

Category

	https://msrc.microsoft.com/update-guide/vulnerabi…	self
	https://msrc.microsoft.com/csaf/advisories/2026/m…	self
	https://www.microsoft.com/en-us/msrc/exploitabili…	external
	https://support.microsoft.com/lifecycle	external
	https://www.first.org/cvss	external
	https://msrc.microsoft.com/update-guide/vulnerabi…	self
	https://msrc.microsoft.com/csaf/advisories/2026/m…	self

Acknowledgments

Long Zhang

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Long Zhang"
        ]
      },
      {
        "names": [
          "Long Zhang"
        ]
      }
    ],
    "aggregate_severity": {
      "namespace": "https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      },
      {
        "category": "general",
        "text": "Required. The vulnerability documented by this CVE requires customer action to resolve.",
        "title": "Customer Action"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2026-32184 Microsoft High Performance Compute (HPC) Pack Elevation of Privilege Vulnerability - HTML",
        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32184"
      },
      {
        "category": "self",
        "summary": "CVE-2026-32184 Microsoft High Performance Compute (HPC) Pack Elevation of Privilege Vulnerability - CSAF",
        "url": "https://msrc.microsoft.com/csaf/advisories/2026/msrc_cve-2026-32184.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Exploitability Index",
        "url": "https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Microsoft High Performance Compute (HPC) Pack Elevation of Privilege Vulnerability",
    "tracking": {
      "current_release_date": "2026-04-14T07:00:00.000Z",
      "generator": {
        "date": "2026-04-14T16:56:51.828Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2026-32184",
      "initial_release_date": "2026-04-14T07:00:00.000Z",
      "revision_history": [
        {
          "date": "2026-04-14T07:00:00.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_version_range",
            "name": "\u003c6.3.8355",
            "product": {
              "name": "Microsoft HPC Pack 2019 \u003c6.3.8355",
              "product_id": "1"
            }
          },
          {
            "category": "product_version",
            "name": "6.3.8355",
            "product": {
              "name": "Microsoft HPC Pack 2019 6.3.8355",
              "product_id": "12455"
            }
          }
        ],
        "category": "product_name",
        "name": "Microsoft HPC Pack 2019"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-32184",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "notes": [
        {
          "category": "general",
          "text": "Microsoft",
          "title": "Assigning CNA"
        },
        {
          "category": "faq",
          "text": "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.",
          "title": "What privileges could be gained by an attacker who successfully exploited this vulnerability?"
        },
        {
          "category": "faq",
          "text": "Customers should install the latest security update for HPC Pack 2019 Update 3 on affected systems. Microsoft has released HPC Pack 2019 Update 3 Fixes (Build 6.3.8355), which includes all previously released fixes for this vulnerability. Customers running HPC Pack 2019 Update 3 can apply this update directly, regardless of whether earlier fixes were installed. Customers using earlier versions of HPC Pack must first upgrade to HPC Pack 2019 Update 3 (Build 6.3.8328) before applying the fix. HPC Pack 2016 is not supported for this update; customers using that version must migrate to HPC Pack 2019 Update 3 to be protected. This update applies only to head nodes and updates a limited set of binaries related to the HPC Scheduler and Management services. Other node types are not affected and do not require action.\nNo. There are no QFE updates available for HPC Pack 2016. Customers using HPC Pack 2016 must migrate to HPC Pack 2019 Update 3 and then apply the available QFE to receive the fix.\nNo. The QFE only needs to be applied to the head nodes of the HPC Pack cluster. Compute nodes are not affected and do not require the update.",
          "title": "What do customers need to do to mitigate this vulnerability?"
        }
      ],
      "product_status": {
        "fixed": [
          "12455"
        ],
        "known_affected": [
          "1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-32184 Microsoft High Performance Compute (HPC) Pack Elevation of Privilege Vulnerability - HTML",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32184"
        },
        {
          "category": "self",
          "summary": "CVE-2026-32184 Microsoft High Performance Compute (HPC) Pack Elevation of Privilege Vulnerability - CSAF",
          "url": "https://msrc.microsoft.com/csaf/advisories/2026/msrc_cve-2026-32184.json"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-14T07:00:00.000Z",
          "details": "6.3.8355:Security Update:https://github.com/Azure/hpcpack/blob/master/CHANGELOG.md#hpc-pack-2019-update-3-qfe-kb5081004-638355---2212026",
          "product_ids": [
            "1"
          ],
          "url": "https://github.com/Azure/hpcpack/blob/master/CHANGELOG.md#hpc-pack-2019-update-3-qfe-kb5081004-638355---2212026"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalsScore": 0.0,
            "exploitCodeMaturity": "UNPROVEN",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "remediationLevel": "OFFICIAL_FIX",
            "reportConfidence": "CONFIRMED",
            "scope": "UNCHANGED",
            "temporalScore": 6.8,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Elevation of Privilege"
        },
        {
          "category": "exploit_status",
          "details": "Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely"
        }
      ],
      "title": "Microsoft High Performance Compute (HPC) Pack Elevation of Privilege Vulnerability"
    }
  ]
}

FKIE_CVE-2026-32184

Vulnerability from fkie_nvd - Published: 2026-04-14 18:17 - Updated: 2026-04-14 18:17

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an authorized attacker to elevate privileges locally.

References

	URL	Tags
	secure@microsoft.com	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32184

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an authorized attacker to elevate privileges locally."
    }
  ],
  "id": "CVE-2026-32184",
  "lastModified": "2026-04-14T18:17:21.777",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "secure@microsoft.com",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-04-14T18:17:21.777",
  "references": [
    {
      "source": "secure@microsoft.com",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32184"
    }
  ],
  "sourceIdentifier": "secure@microsoft.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "secure@microsoft.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-32184 (GCVE-0-2026-32184)

NCSC-2026-0117

GHSA-C6VR-GRF8-R7QJ

MSRC_CVE-2026-32184

FKIE_CVE-2026-32184

Tags

Sightings

Nomenclature