CVE-2026-24291, a newly disclosed privilege escalation vulnerability known as RegPwn, has drawn sharp attention from security experts worldwide. The root cause of this vulnerability is Incorrect Permission Assignment within the Windows Accessibility environment. 

It could cause a full system compromise if left unpatched. The issue affects how the Windows Registry is handled, making it a serious security concern. 

According to MDSec researchers, at its core, RegPwn exploits how Windows uses accessibility features, such as Narrator or On-Screen Keyboard (osk.exe). These tools can continue to function even on the “Secure Desktop.” 

The vulnerability stems from how Windows processes accessibility settings:

  • When Windows switches to the lock screen, it loads accessibility features, such as the Narrator or On-Screen Keyboard.
  • This allows even a low-privileged user to modify settings under HKEY_CURRENT_USER
  • Later, a core Windows SYSTEM-level process (ATBroker.exe) copies these settings into a higher-privileged registry location.
  • An attacker uses a registry symbolic link to reroute a SYSTEM-level write operation. It allows them to modify arbitrary registry keys with higher privileges.

When the system transitions to a “Secure Desktop” environment, this vulnerability gets triggered. 

Secure Desktop is an isolated environment that allows only trusted processes to run. However, this vulnerability enables threat actors to redirect or hijack system-level processes where registry related events frequently occur.  

MDSec researchers also noticed that attackers can hijack the copy process. The process can be manipulated to overwrite important system registry entries without triggering alerts. Therefore, things can go wrong without being noticed for a long time. 

What Lies Ahead

RegPwn has two qualities that attackers value the most: it requires low effort and delivers a high impact. It lowers the barrier for attackers, while raising the stakes for defenders. What makes this vulnerability more dangerous is that it does not require advanced techniques. 

For businesses, on the other hand, the takeaway is straightforward: this isn’t a patch to postpone. To address the issue, Microsoft has released a patch for CVE-2026-24291 for Windows 10 and 11. Security teams are advised to apply it without further delay. 

In addition, researchers recommend closely monitoring unusual registry activity and paying attention to even minor anomalies, as these may signal a larger issue.

Organizations should also limit user privileges and strengthen endpoint detection to better track and respond to system-level changes.