Skip to main content

Microsoft CVE-2026-27927

| EUVDEUVD-2026-22479 HIGH
Race Condition (CWE-362)
2026-04-14 microsoft GHSA-xmhh-m2j3-cr44
7.8
CVSS 3.1 · NVD
Temporal: 6.8
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
6.8 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 19:17 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22479
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:57 nvd
HIGH 7.8

DescriptionCVE.org

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Projected File System allows an authorized attacker to elevate privileges locally.

AnalysisAI

Privilege escalation in Windows Projected File System across Windows 10, 11, and Server versions allows authenticated local users to gain SYSTEM-level privileges by exploiting a race condition during concurrent file system operations. Affects all currently supported Windows versions from Server 2019 through Windows 11 26H1. Microsoft released patches in their latest security update cycle. No public exploit identified at time of analysis, though the low attack complexity (AC:L) and minimal privil

Technical ContextAI

Windows Projected File System (ProjFS) is a kernel-mode driver that enables user-mode file system providers to project hierarchical data into the file system namespace. The vulnerability stems from a classic time-of-check-time-of-use (TOCTOU) race condition (CWE-362) where multiple threads can concurrently access shared resources without proper synchronization primitives. During concurrent file system operations, an attacker with low-privilege local access can manipulate the timing of operations to bypass security checks that would normally prevent privilege escalation. The race window exists between the validation of permissions and the actual execution of privileged operations, allowing an attacker to substitute malicious data or operations after validation but before execution. This affects the kernel-mode ProjFS driver (projfs.sys) which operates at high privilege levels, making successful exploitation particularly dangerous as it grants complete system compromise.

RemediationAI

Apply Microsoft's security updates immediately through Windows Update or WSUS infrastructure. Patched versions that resolve the race condition include Windows 10 Version 1809 build 10.0.17763.8644 or later, Windows 10 Version 21H2 build 10.0.19044.7184 or later, Windows 10 Version 22H2 build 10.0.19045.7184 or later, Windows 11 Version 22H3/23H2 build 10.0.22631.6936 or later, Windows 11 Version 24H2 build 10.0.26100.32690 or later, Windows 11 Version 25H2 build 10.0.26200.8246 or later, Windows 11 Version 26H1 build 10.0.28000.1836 or later, Windows Server 2019 build 10.0.17763.8644 or later, Windows Server 2022 build 10.0.20348.5020 or later, Windows Server 2022 23H2 Edition build 10.0.25398.2274 or later, and Windows Server 2025 build 10.0.26100.32690 or later. Organizations should prioritize patching systems where local user access is prevalent or where privilege separation is critical to security posture. No effective workarounds exist as the vulnerability resides in core kernel components. Detailed patch information and installation guidance available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27927. Monitor systems for unusual elevation of privilege attempts or unexpected SYSTEM-level process creation from low-privilege user contexts during the patch deployment window.

Share

CVE-2026-27927 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy