In CVSS terms, S:C means the vulnerability has a changed scope: a successful exploit can cross a security boundary and affect something outside the vulnerable component’s own authorization context. In plain English, the attacker is not just influencing the Windows Hello component itself; they may be able to break out and impact a different security domain, such as another user’s or tenant’s data and applications. Microsoft’s own CVSS guidance explains that a changed scope score is used when exploitation “can start in one place” and “jump to another place,” and in this case the description specifically says the attacker could gain the ability to interact with other tenants’ applications and content.
For CVE-2026-27928, that means the practical risk is cross-boundary access, not just a local failure inside the Windows Hello feature. If exploited, the issue could let an attacker operate in a context that should have remained isolated, which is why Microsoft frames the impact as access to other tenant content rather than a simple feature malfunction. That distinction matters because scope change usually raises the severity of the bug: the vulnerability’s consequences extend beyond the component that actually contains the flaw.
So the short answer is: S:C indicates the vulnerability can affect resources outside the intended trust boundary, potentially letting an attacker reach data or applications belonging to another tenant or security context. In Microsoft’s wording, that is exactly the kind of scenario where exploitation crosses from the vulnerable feature into other protected assets.
Source: MSRC Security Update Guide - Microsoft Security Response Center
