CVE-2022-41125

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 3, 2026 2 articles

VulnLookup ↗ NVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-24

0.7%

probability

This CVE has a 0.7% probability of being exploited in the next 30 days.

0% Top 72.3th percentile of all CVEs 100%

CVSS score unavailable

Neither CIRCL nor NVD returned a CVSS score for this CVE. View on VulnerabilityLookup ↗

Description

Project Zero

CNG Key Isolation Service elevation of privilege

Attack Intelligence

CWE-118 · Incorrect Access of Indexable Resource ('Range Error') CWE-119 · Buffer Overflow CWE-664 · Improper Control of a Resource Through its Lifetime CWE-787 · Out-of-bounds Write

Google Project Zero

Patched

Nov. 8, 2022

Reported by

Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC)

Root Cause Analysis

???

November 2022 Patch Tuesday | Microsoft Releases 65 New Vulnerabilities With 10 Critical; Adobe Releases Zero Advisories (for the First Time in Six Years).

Qualys Nov 08, 2022

Security Advisory 2022-079

CERT-EU Nov 09, 2022

Signal Intelligence

Confidenceⓘ

82%

EPSS 0.7%

Mentions 2

Last Seen Nov 09, 2022

CNA Information

Analyst Note

CVE-2022-41125 is confirmed as a legitimate elevation of privilege vulnerability in Windows CNG Key Isolation Service with a HIGH CVSS score of 7.8. The vulnerability is documented in Google Project Zero and referenced in CERT-EU security advisory 2022-079 regarding exploited 0-days in Microsoft Windows, providing credible external validation of its authenticity and severity.

Triage Info

Decided atMar 03, 2026