{ "document": { "acknowledgments": [ { "names": [ "Sridhar Periyasamy" ] } ], "aggregate_severity": { "namespace": "https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Public", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en-US", "notes": [ { "category": "general", "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle", "title": "Additional Resources" }, { "category": "legal_disclaimer", "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.", "title": "Disclaimer" }, { "category": "general", "text": "Required. The vulnerability documented by this CVE requires customer action to resolve.", "title": "Customer Action" } ], "publisher": { "category": "vendor", "contact_details": "secure@microsoft.com", "name": "Microsoft Security Response Center", "namespace": "https://msrc.microsoft.com" }, "references": [ { "category": "self", "summary": "CVE-2026-42822 Azure Local Disconnected Operations (ALDO) Elevation of Privilege Vulnerability - HTML", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42822" }, { "category": "self", "summary": "CVE-2026-42822 Azure Local Disconnected Operations (ALDO) Elevation of Privilege Vulnerability - CSAF", "url": "https://msrc.microsoft.com/csaf/advisories/2026/msrc_cve-2026-42822.json" }, { "category": "external", "summary": "Microsoft Exploitability Index", "url": "https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1" }, { "category": "external", "summary": "Microsoft Support Lifecycle", "url": "https://support.microsoft.com/lifecycle" }, { "category": "external", "summary": "Common Vulnerability Scoring System", "url": "https://www.first.org/cvss" } ], "title": "Azure Local Disconnected Operations (ALDO) Elevation of Privilege Vulnerability", "tracking": { "current_release_date": "2026-05-18T07:00:00.000Z", "generator": { "date": "2026-05-20T13:52:45.371Z", "engine": { "name": "MSRC Generator", "version": "1.0" } }, "id": "msrc_CVE-2026-42822", "initial_release_date": "2026-05-12T07:00:00.000Z", "revision_history": [ { "date": "2026-05-18T07:00:00.000Z", "legacy_version": "1", "number": "1", "summary": "Information published." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_version_range", "name": "<2604.2.25645", "product": { "name": "Azure Local <2604.2.25645", "product_id": "1" } }, { "category": "product_version", "name": "2604.2.25645", "product": { "name": "Azure Local 2604.2.25645", "product_id": "20844" } } ], "category": "product_name", "name": "Azure Local" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-42822", "cwe": { "id": "CWE-287", "name": "Improper Authentication" }, "notes": [ { "category": "general", "text": "Microsoft", "title": "Assigning CNA" }, { "category": "faq", "text": "For Azure Resource Manager (ARM) customers:\nMicrosoft has deployed a mitigation for this vulnerability across Microsoft‑operated Azure environments. Customers using Azure services hosted by Microsoft are already protected. There is no customer action to take.\nFor Azure Local Disconnected Operations (ALDO) customers:\nTo protect against this vulnerability, customers must update their Azure Local Disconnected Operations (ALDO) environment to the latest available release (version 2604 or later). Updates are not available as standalone patches and must be applied as a full system update through the Azure portal. ALDO is a restricted offering, and updates are only available to approved customers via allow-listing.\nCustomers should follow Microsoft guidance to obtain access and apply the update, using the following documentation:\nHow to deploy Disconnected Operations for Azure Local\nHow to update Disconnected Operations for Azure Local", "title": "How do I protect myself from this vulnerability?" }, { "category": "faq", "text": "An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.", "title": "According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?" }, { "category": "faq", "text": "An attacker could gain elevated privileges beyond those normally available to them, allowing actions such as accessing restricted information or performing operations that are typically limited to more highly privileged users or administrators.", "title": "What privileges could be gained by an attacker who successfully exploited the vulnerability?" }, { "category": "faq", "text": "The most realistic exploitation scenario involves a malicious or compromised insider with existing access to the customer’s environment.\nAn attacker could exploit this vulnerability if they:\nAlready have access to the internal environment (e.g., an internal user, contractor, or compromised account)., Possess or can obtain relevant identity information such as tenant identifiers, user identifiers, credentials, or tokens., Use this access to interact with and attempt exploitation within the Azure Local Disconnected Operations (ALDO) environment.\nBecause an insider or compromised internal identity already satisfies many of the environmental and authentication requirements, they may bypass several of the barriers that would otherwise make exploitation more difficult.\nIn external attacker scenarios, exploitation is significantly more constrained. An attacker would first need to:\nGain access to the customer’s internal network (which may require physical presence or prior compromise), and, Obtain valid identity context within the environment.\nAdditionally, Azure Local Disconnected Operations is designed to operate in a disconnected and isolated configuration, limiting direct external exposure and reducing the likelihood of opportunistic remote exploitation.", "title": "How could an attacker exploit this vulnerability?" } ], "product_status": { "fixed": [ "12443", "20844" ], "known_affected": [ "1", "2" ] }, "references": [ { "category": "self", "summary": "CVE-2026-42822 Azure Local Disconnected Operations (ALDO) Elevation of Privilege Vulnerability - HTML", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42822" }, { "category": "self", "summary": "CVE-2026-42822 Azure Local Disconnected Operations (ALDO) Elevation of Privilege Vulnerability - CSAF", "url": "https://msrc.microsoft.com/csaf/advisories/2026/msrc_cve-2026-42822.json" } ], "remediations": [ { "category": "vendor_fix", "date": "2026-05-18T07:00:00.000Z", "details": "2604.2.25645:Security Update:https://learn.microsoft.com/en-us/azure/azure-local/manage/disconnected-operations-whats-new?view=azloc-2604", "product_ids": [ "1" ], "url": "https://learn.microsoft.com/en-us/azure/azure-local/manage/disconnected-operations-whats-new?view=azloc-2604" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "environmentalsScore": 0.0, "exploitCodeMaturity": "UNPROVEN", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "CONFIRMED", "scope": "CHANGED", "temporalScore": 8.7, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C", "version": "3.1" }, "products": [ "1", "2" ] } ], "threats": [ { "category": "impact", "details": "Elevation of Privilege" }, { "category": "exploit_status", "details": "Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation More Likely" } ], "title": "Azure Local Disconnected Operations (ALDO) Elevation of Privilege Vulnerability" } ] }