Which SIEM platforms have a CVE-2026-21519 detection rule?

df00tech provides CVE-2026-21519 (Microsoft Windows Type Confusion Vulnerability (CVE-2026-21519)) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Microsoft Windows Type Confusion Vulnerability (CVE-2026-21519) (CVE-2026-21519)?

Detecting Microsoft Windows Type Confusion Vulnerability (CVE-2026-21519) requires the following data sources: Microsoft Sentinel, Microsoft Defender for Endpoint, Windows Security Events.

What severity and confidence is the CVE-2026-21519 detection?

The CVE-2026-21519 detection is rated critical severity with medium confidence.

What are common false positives for CVE-2026-21519?

Common false positives for CVE-2026-21519 include: Legitimate driver installations from third-party security software or hardware vendors; System administrators manually installing services or drivers for maintenance; Software update processes temporarily writing executables to AppData or Temp directories.

CVE-2026-21519

Microsoft Windows Type Confusion Vulnerability (CVE-2026-21519)

Privilege Escalation Defense Evasion Execution Last updated: June 19, 2026

Detects exploitation of CVE-2026-21519, a type confusion vulnerability (CWE-843) in Microsoft Windows. Type confusion vulnerabilities occur when code allocates or initializes a resource using one type but accesses it using an incompatible type, leading to out-of-bounds memory access, arbitrary code execution, or privilege escalation. This CVE is listed on the CISA Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.

Vulnerability Intelligence

KEV — Known Exploited

CVE

CVE-2026-21519↗ NVD

Affected Software

Vendor: Microsoft
Product: Windows

Weakness (CWE)

CWE-843

Timeline

Disclosed: February 10, 2026

References & Proof of Concept

CVSS

Unscored

Write-up coming soon

What is CVE-2026-21519 Microsoft Windows Type Confusion Vulnerability (CVE-2026-21519)?

Microsoft Windows Type Confusion Vulnerability (CVE-2026-21519) (CVE-2026-21519) maps to the Privilege Escalation and Defense Evasion and Execution tactics — the adversary is trying to gain higher-level permissions in MITRE ATT&CK.

This page provides production-ready detection logic for Microsoft Windows Type Confusion Vulnerability (CVE-2026-21519), covering the data sources and telemetry it touches: Microsoft Sentinel, Microsoft Defender for Endpoint, Windows Security Events. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Privilege Escalation Defense Evasion Execution

Microsoft Sentinel / Defender

kusto

union SecurityEvent, DeviceProcessEvents, DeviceEvents
| where TimeGenerated >= ago(7d)
| where (EventID in (4688, 4697, 7045) or ActionType in ("ProcessCreated", "DriverLoad", "ImageLoaded"))
| extend ProcessCmdLine = coalesce(CommandLine, ProcessCommandLine, "")
| extend ParentProcessName = coalesce(ParentProcessName, InitiatingProcessFileName, "")
| where (
    (EventID == 4688 and ProcessCmdLine has_any ("SeDebugPrivilege", "SeImpersonatePrivilege", "SeAssignPrimaryTokenPrivilege"))
    or (ActionType == "DriverLoad" and not(InitiatingProcessFileName has_any ("MsMpEng.exe", "services.exe", "wininit.exe")))
    or (ActionType == "ProcessCreated" and InitiatingProcessFileName in~ ("lsass.exe", "winlogon.exe", "csrss.exe") and not(FileName in~ ("conhost.exe", "werfault.exe")))
    or (EventID == 4697 and ServiceFileName has_any (".tmp", "\\AppData\\", "\\Temp\\"))
)
| extend RiskScore = case(
    ActionType == "DriverLoad" and not(InitiatingProcessFileName has_any ("MsMpEng.exe", "services.exe")), 90,
    ActionType == "ProcessCreated" and InitiatingProcessFileName in~ ("lsass.exe", "winlogon.exe"), 85,
    EventID == 4697 and ServiceFileName has_any (".tmp", "\\AppData\\"), 80,
    60
)
| project TimeGenerated, Computer, AccountName, ProcessName = coalesce(NewProcessName, FileName, ""), ParentProcessName, ProcessCmdLine, ActionType, EventID, RiskScore
| sort by RiskScore desc, TimeGenerated desc

Detects indicators of Windows type confusion exploitation including abnormal privilege token manipulation, suspicious driver loads from non-system processes, unusual child processes spawned by protected system processes, and services installed from temporary locations.

critical severity medium confidence

Data Sources

Microsoft Sentinel Microsoft Defender for Endpoint Windows Security Events

Required Tables

SecurityEvent DeviceProcessEvents DeviceEvents

False Positives

Legitimate driver installations from third-party security software or hardware vendors
System administrators manually installing services or drivers for maintenance
Software update processes temporarily writing executables to AppData or Temp directories
Debugging tools legitimately requesting SeDebugPrivilege during authorized testing

Splunk

spl

index=windows (source="WinEventLog:Security" OR source="WinEventLog:System" OR source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval event_id=coalesce(EventCode, event_id)
| eval process_name=coalesce(Process_Name, process_name, Image)
| eval parent_process=coalesce(Parent_Process_Name, ParentImage)
| eval cmdline=coalesce(Process_Command_Line, CommandLine)
| eval service_file=coalesce(Service_File_Name, ImagePath)
| where (
    (event_id=4688 AND (match(cmdline, "SeDebugPrivilege|SeImpersonatePrivilege|SeAssignPrimaryTokenPrivilege")))
    OR (event_id=7045 AND match(service_file, "(?i)(\\AppData\\|\\Temp\\|\.tmp)"))
    OR (event_id=4697 AND match(service_file, "(?i)(\\AppData\\|\\Temp\\|\.tmp)"))
    OR (event_id=6 AND NOT match(parent_process, "(?i)(MsMpEng\.exe|services\.exe|wininit\.exe|TrustedInstaller\.exe)"))
    OR (event_id=1 AND match(parent_process, "(?i)(lsass\.exe|winlogon\.exe|csrss\.exe)") AND NOT match(process_name, "(?i)(conhost\.exe|werfault\.exe|WerFaultSecure\.exe)"))
)
| eval risk_score=case(
    event_id=6 AND NOT match(parent_process, "(?i)(MsMpEng\.exe|services\.exe)"), 90,
    event_id=1 AND match(parent_process, "(?i)(lsass\.exe|winlogon\.exe)"), 85,
    event_id IN (7045,4697) AND match(service_file, "(?i)(\\AppData\\|\\Temp\\)"), 80,
    true(), 60
)
| table _time, host, user, process_name, parent_process, cmdline, service_file, event_id, risk_score
| sort - risk_score _time

Splunk detection for Windows type confusion exploitation indicators including privilege manipulation, suspicious service installs, driver loads from non-system initiators, and anomalous child processes from protected system processes.

critical severity medium confidence

Data Sources

Splunk Enterprise Security Windows Security Logs Sysmon

Required Sourcetypes

WinEventLog:Security WinEventLog:System XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Third-party endpoint security products performing legitimate kernel operations
IT administrators deploying software via service installation in non-standard paths
Developer workstations running debugging tools that request elevated privileges
Automated patch management tools writing temporary files before service installation

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  QIDNAME(qid) AS event_name,
  "Process Name",
  "Parent Process Name",
  "Command",
  "Service File Name",
  magnitude
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Windows Sysmon')
  AND (
    (qid IN (8699022, 8699054) /* EventID 4688 / 4697 */
      AND ("Command" ILIKE '%SeDebugPrivilege%'
           OR "Command" ILIKE '%SeImpersonatePrivilege%'
           OR "Service File Name" ILIKE '%\\AppData\\%'
           OR "Service File Name" ILIKE '%\\Temp\\%'
           OR "Service File Name" ILIKE '%.tmp%'))
    OR (CATEGORYNAME(category) = 'Driver Load'
        AND "Process Name" NOT ILIKE '%MsMpEng.exe%'
        AND "Process Name" NOT ILIKE '%services.exe%'
        AND "Process Name" NOT ILIKE '%wininit.exe%')
    OR (CATEGORYNAME(category) = 'Process Launch'
        AND ("Parent Process Name" ILIKE '%lsass.exe%'
             OR "Parent Process Name" ILIKE '%winlogon.exe%'
             OR "Parent Process Name" ILIKE '%csrss.exe%')
        AND "Process Name" NOT ILIKE '%conhost.exe%'
        AND "Process Name" NOT ILIKE '%werfault.exe%')
  )
  AND LAST 7 DAYS
ORDER BY magnitude DESC, devicetime DESC
LIMIT 500

QRadar AQL query detecting Windows type confusion exploitation indicators across Windows Security Event Log and Sysmon sources, filtering for privilege token manipulation, suspicious service paths, unauthorized driver loads, and anomalous process spawning from protected parent processes.

critical severity medium confidence

Data Sources

IBM QRadar Windows Security Event Log Sysmon

Required Tables

events

False Positives

Legitimate endpoint security products triggering driver load events from atypical parent processes
Enterprise software deployment tools that temporarily stage executables in user profile directories
System diagnostics tools that spawn child processes from winlogon or csrss legitimately
Kernel debugging sessions on developer workstations requesting privileged access

Sumo Logic CSE

sql

_sourceCategory=windows/security OR _sourceCategory=windows/sysmon
| parse field=_raw "EventCode=*" as event_id nodrop
| parse field=_raw "Image=*\n" as process_image nodrop
| parse field=_raw "ParentImage=*\n" as parent_image nodrop
| parse field=_raw "CommandLine=*\n" as cmdline nodrop
| parse field=_raw "ImagePath=*\n" as service_path nodrop
| where (
    (event_id in ("4688", "4697", "7045") and (
      cmdline matches "*SeDebugPrivilege*"
      or cmdline matches "*SeImpersonatePrivilege*"
      or service_path matches "*\\AppData\\*"
      or service_path matches "*\\Temp\\*"
      or service_path matches "*.tmp*"
    ))
    or (event_id = "6" and not (process_image matches "*MsMpEng.exe*" or process_image matches "*services.exe*" or process_image matches "*wininit.exe*"))
    or (event_id = "1" and (parent_image matches "*lsass.exe*" or parent_image matches "*winlogon.exe*" or parent_image matches "*csrss.exe*") and not (process_image matches "*conhost.exe*" or process_image matches "*werfault.exe*"))
  )
| eval risk_score = if(event_id = "6" and not (process_image matches "*services.exe*"), 90, if(event_id = "1" and parent_image matches "*lsass.exe*", 85, 60))
| fields _messagetime, _sourceHost, event_id, process_image, parent_image, cmdline, service_path, risk_score
| sort by risk_score, _messagetime

Sumo Logic query detecting CVE-2026-21519 type confusion exploitation indicators via Windows Security and Sysmon logs, identifying privilege abuse, suspicious service file paths, driver loads from untrusted initiators, and anomalous child processes.

critical severity medium confidence

Data Sources

Sumo Logic Windows Security Events Sysmon

Required Tables

windows/security windows/sysmon

False Positives

Legitimate antivirus and EDR products performing kernel-level monitoring operations
Software deployment agents staging installers temporarily in AppData or Temp directories
Helpdesk remote management tools spawning processes under system parent processes
Performance monitoring tools requesting SeDebugPrivilege for authorized process inspection

CrowdStrike LogScale (CQL)

cql

#event_simpleName IN (ProcessRollup2, DriverLoad, ServiceInstall)
| eval process_name = FileName
| eval parent_name = ParentBaseFileName
| eval cmdline = CommandLine
| eval service_path = coalesce(ServiceImagePath, "")
| where (
    (
      #event_simpleName = "ProcessRollup2"
      and parent_name IN ("lsass.exe", "winlogon.exe", "csrss.exe")
      and not process_name IN ("conhost.exe", "WerFault.exe", "WerFaultSecure.exe")
    )
    or (
      #event_simpleName = "ProcessRollup2"
      and (cmdline = "*SeDebugPrivilege*" OR cmdline = "*SeImpersonatePrivilege*")
    )
    or (
      #event_simpleName = "DriverLoad"
      and not parent_name IN ("MsMpEng.exe", "services.exe", "wininit.exe", "TrustedInstaller.exe")
    )
    or (
      #event_simpleName = "ServiceInstall"
      and (service_path = "*\\AppData\\*" OR service_path = "*\\Temp\\*" OR service_path = "*.tmp*")
    )
  )
| eval risk_score = case(
    #event_simpleName = "DriverLoad" and not parent_name IN ("services.exe", "MsMpEng.exe"), 90,
    #event_simpleName = "ProcessRollup2" and parent_name IN ("lsass.exe", "winlogon.exe"), 85,
    #event_simpleName = "ServiceInstall" and service_path = "*\\AppData\\*", 80,
    true(), 60
  )
| table timestamp, ComputerName, UserName, process_name, parent_name, cmdline, service_path, risk_score
| sort -risk_score

CrowdStrike Falcon Query Language detection for CVE-2026-21519 type confusion exploitation indicators, covering abnormal process lineage from protected system processes, privilege token abuse, unauthorized driver loads, and service installation from suspicious paths.

critical severity medium confidence

Data Sources

CrowdStrike Falcon Falcon Data Replicator

Required Tables

ProcessRollup2 DriverLoad ServiceInstall

False Positives

CrowdStrike sensor itself or other security products performing legitimate kernel-level operations
Managed service providers using remote management tools that spawn from system processes
Software defined infrastructure agents temporarily staging binaries in user-profile directories
Penetration testing engagements using authorized exploit frameworks on in-scope systems

Sigma rule & cross-platform mapping

The detection logic for Microsoft Windows Type Confusion Vulnerability (CVE-2026-21519) (CVE-2026-21519) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-21519 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-21519

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-06-19 Research depth: standard

References (2)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Simulate Anomalous Child Process from Winlogon
Expected signal: Sysmon EventID 1 showing cmd.exe or similar process with an unexpected parent, Windows Security EventID 4688 capturing the new process creation with command line arguments.
Test 2Privilege Token Enumeration via Command Line
Expected signal: Windows Security EventID 4688 with CommandLine containing privilege-related arguments, Sysmon EventID 1 capturing the full process creation with integrity level.
Test 3Suspicious Service Installation from Temp Directory
Expected signal: Windows System EventID 7045 (new service installed) with ServiceImagePath pointing to %TEMP%, Sysmon EventID 13 capturing registry writes for the new service key under HKLM\SYSTEM\CurrentControlSet\Services.
Test 4Unsigned Driver Load Simulation via Sysmon
Expected signal: Sysmon EventID 6 (DriverLoad) with the ImageLoaded path pointing to a non-standard location and the initiating process being a user-mode application rather than services.exe or wininit.exe.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2026-21519 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hubs

TA0004Privilege Escalation TA0005Defense Evasion TA0002Execution

Related Techniques

T1068Exploitation for Privilege Escalation T1203Exploitation for Client Execution T1055Process Injection

Vulnerability Intelligence

CVE

Affected Software

Weakness (CWE)

Timeline

References & Proof of Concept

CVSS

What is CVE-2026-21519 Microsoft Windows Type Confusion Vulnerability (CVE-2026-21519)?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for CVE-2026-21519

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Privilege Escalation

Popular Detections

Get new detections in your inbox