Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Concurrent execution using shared resource with improper synchronization ('race condition') in Applocker Filter Driver (applockerfltr.sys) allows an authorized attacker to elevate privileges locally.
AnalysisAI
Race condition in Microsoft AppLocker Filter Driver (applockerfltr.sys) allows local authenticated users with low privileges to elevate to SYSTEM through improper synchronization of shared resources. Affects Windows 11 (22H2 through 26H1) and Windows Server 2022/2025 editions. Vendor-released patch available as of April 2025 security updates. CVSS 7.0 reflects high attack complexity but complete system compromise if successful. No public exploit identified at time of analysis, though the local privilege escalation vector makes this valuable for post-compromise lateral movement in enterprise environments.
Technical ContextAI
AppLocker Filter Driver (applockerfltr.sys) is a kernel-mode component in Windows that enforces application control policies by intercepting executable launches and script execution. The vulnerability stems from CWE-362 (Race Condition), where concurrent execution paths access shared kernel resources without proper synchronization primitives (mutexes, semaphores, or locks). This creates a time-of-check-time-of-use (TOCTOU) window where an attacker can manipulate driver state between validation and action. As a filter driver operating at kernel level, successful exploitation grants SYSTEM-level privileges. The affected CPE strings indicate this is specific to Windows 11 builds 22H2 (22631.x), 23H2 (22631.x), 24H2 (26100.x), 25H2 (26200.x), 26H1 (28000.x), and Server 2022 23H2 (25398.x) plus Server 2025 (26100.x) across both Desktop Experience and Server Core installations.
RemediationAI
Apply Microsoft's April 2025 security updates immediately to patch the AppLocker Filter Driver race condition. Fixed versions are Windows 11 22H3/23H2 build 10.0.22631.6936 or later, Windows 11 24H2 build 10.0.26100.32690 or later, Windows 11 25H2 build 10.0.26200.8246 or later, Windows 11 26H1 build 10.0.28000.1836 or later, Windows Server 2022 23H2 build 10.0.25398.2274 or later, and Windows Server 2025 build 10.0.26100.32690 or later. Deploy patches through Windows Update, WSUS, or Configuration Manager following standard enterprise patch management procedures. No effective workaround exists as disabling AppLocker removes security controls rather than mitigating the vulnerability. Prioritize systems where AppLocker is actively enforcing application control policies. Verify patch deployment using build number validation and monitor for unusual applockerfltr.sys driver activity through EDR telemetry during rollout window. Full advisory and deployment guidance at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25184.
Same weakness CWE-362 – Race Condition
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22367