CVE-2026-23651 · Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability

Permissive regular expression in Azure Compute Gallery allows an authorized attacker to elevate privileges locally.

Why are there no links to an update or instructions with steps that must be taken to protect from this vulnerability? This vulnerability has been mitigated by Microsoft in the Azure Confidential ACI service. No service update, patch, reboot, or upgrade is required. In Azure Confidential ACI scenarios, customers are responsible for enforcing existing Confidential Compute security policies. Customers should verify that their policies enforce the documented minimum Security Version Number (SVN) for the Utility VM (UVM), as described in the Confidential ACI configuration guidance. If a customer determines that their policy configuration does not align with the published minimum SVN guidance, correcting the configuration is part of normal policy enforcement and not a remediation action introduced by this CVE. No additional customer action is required beyond adherence to existing guidance. Please refer to the following for more information: https://github.com/microsoft/confidential-aci-examples/blob/main/docs/Confidential_ACI_SCHEME.md