CVE-2026-21537

FAQ

According to the CVSS metric, the attack vector is local (AV:A). What does that mean for this vulnerability?

An attacker must be an authenticated to a Linux VMs in the same network subnet as the targeted in order to exploit this vulnerability.

What action do customers need to take protect themselves from this vulnerability?

Customers can obtain the fix by ensuring that Microsoft Defender for Endpoint auto‑provisioning is enabled in Defender for Cloud; once enabled, all eligible Linux machines will automatically receive MDE extension version 1.0.9.0.

How do I get the updated Microsoft Defender for Endpoint (MDE) for Linux extension that contains the fix?

The MDE for Linux extension is automatically updated through Azure’s auto‑provisioning mechanism. Customers will receive the updated extension (version 1.0.9.0) once auto‑provisioning is enabled on the subscription. The backend pushes the newest extension to all onboarded VMs without requiring manual action.

You can verify auto‑provisioning in Defender for Cloud → Environment Settings → Defender Plans → Servers → Settings, where the MDE auto‑provisioning toggle (WDAgent / MDE extension) is located. Customers can select their subscription and confirm whether the provisioning setting is set to On. Read more here

If auto‑provisioning was disabled, how do I enable it to receive the fix?

Enable auto‑provisioning under Defender for Cloud. After it is turned on, all eligible machines in the subscription will automatically receive the updated MDE for Linux extension within up to 6 hours. No further steps are needed.

How could an attacker exploit this vulnerability?

An attacker on the same subnet could intercept and respond to the extension’s IMDS request during installation, crafting a malicious JSON response that injects non-sanitized data into a shell command. By doing so, the attacker could cause the installation script to execute arbitrary code as root on the victim’s machine.