Skip to main content

Applocker Filter Driver CVE-2026-25184

| EUVDEUVD-2026-22367 HIGH
Race Condition (CWE-362)
2026-04-14 microsoft
7.0
CVSS 3.1 · NVD
Temporal: 6.1
Share

Severity by source

NVD PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
6.1 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 18:50 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22367
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:56 nvd
HIGH 7.0

DescriptionCVE.org

Concurrent execution using shared resource with improper synchronization ('race condition') in Applocker Filter Driver (applockerfltr.sys) allows an authorized attacker to elevate privileges locally.

AnalysisAI

Race condition in Microsoft AppLocker Filter Driver (applockerfltr.sys) allows local authenticated users with low privileges to elevate to SYSTEM through improper synchronization of shared resources. Affects Windows 11 (22H2 through 26H1) and Windows Server 2022/2025 editions. Vendor-released patch available as of April 2025 security updates. CVSS 7.0 reflects high attack complexity but complete system compromise if successful. No public exploit identified at time of analysis, though the local privilege escalation vector makes this valuable for post-compromise lateral movement in enterprise environments.

Technical ContextAI

AppLocker Filter Driver (applockerfltr.sys) is a kernel-mode component in Windows that enforces application control policies by intercepting executable launches and script execution. The vulnerability stems from CWE-362 (Race Condition), where concurrent execution paths access shared kernel resources without proper synchronization primitives (mutexes, semaphores, or locks). This creates a time-of-check-time-of-use (TOCTOU) window where an attacker can manipulate driver state between validation and action. As a filter driver operating at kernel level, successful exploitation grants SYSTEM-level privileges. The affected CPE strings indicate this is specific to Windows 11 builds 22H2 (22631.x), 23H2 (22631.x), 24H2 (26100.x), 25H2 (26200.x), 26H1 (28000.x), and Server 2022 23H2 (25398.x) plus Server 2025 (26100.x) across both Desktop Experience and Server Core installations.

RemediationAI

Apply Microsoft's April 2025 security updates immediately to patch the AppLocker Filter Driver race condition. Fixed versions are Windows 11 22H3/23H2 build 10.0.22631.6936 or later, Windows 11 24H2 build 10.0.26100.32690 or later, Windows 11 25H2 build 10.0.26200.8246 or later, Windows 11 26H1 build 10.0.28000.1836 or later, Windows Server 2022 23H2 build 10.0.25398.2274 or later, and Windows Server 2025 build 10.0.26100.32690 or later. Deploy patches through Windows Update, WSUS, or Configuration Manager following standard enterprise patch management procedures. No effective workaround exists as disabling AppLocker removes security controls rather than mitigating the vulnerability. Prioritize systems where AppLocker is actively enforcing application control policies. Verify patch deployment using build number validation and monitor for unusual applockerfltr.sys driver activity through EDR telemetry during rollout window. Full advisory and deployment guidance at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25184.

Share

CVE-2026-25184 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy