Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Projected File System allows an authorized attacker to elevate privileges locally.
AnalysisAI
Privilege escalation in Windows Projected File System across Windows 10, 11, and Server versions allows authenticated local users to gain SYSTEM-level privileges by exploiting a race condition during concurrent file system operations. Affects all currently supported Windows versions from Server 2019 through Windows 11 26H1. Microsoft released patches in their latest security update cycle. No public exploit identified at time of analysis, though the low attack complexity (AC:L) and minimal privil
Technical ContextAI
Windows Projected File System (ProjFS) is a kernel-mode driver that enables user-mode file system providers to project hierarchical data into the file system namespace. The vulnerability stems from a classic time-of-check-time-of-use (TOCTOU) race condition (CWE-362) where multiple threads can concurrently access shared resources without proper synchronization primitives. During concurrent file system operations, an attacker with low-privilege local access can manipulate the timing of operations to bypass security checks that would normally prevent privilege escalation. The race window exists between the validation of permissions and the actual execution of privileged operations, allowing an attacker to substitute malicious data or operations after validation but before execution. This affects the kernel-mode ProjFS driver (projfs.sys) which operates at high privilege levels, making successful exploitation particularly dangerous as it grants complete system compromise.
RemediationAI
Apply Microsoft's security updates immediately through Windows Update or WSUS infrastructure. Patched versions that resolve the race condition include Windows 10 Version 1809 build 10.0.17763.8644 or later, Windows 10 Version 21H2 build 10.0.19044.7184 or later, Windows 10 Version 22H2 build 10.0.19045.7184 or later, Windows 11 Version 22H3/23H2 build 10.0.22631.6936 or later, Windows 11 Version 24H2 build 10.0.26100.32690 or later, Windows 11 Version 25H2 build 10.0.26200.8246 or later, Windows 11 Version 26H1 build 10.0.28000.1836 or later, Windows Server 2019 build 10.0.17763.8644 or later, Windows Server 2022 build 10.0.20348.5020 or later, Windows Server 2022 23H2 Edition build 10.0.25398.2274 or later, and Windows Server 2025 build 10.0.26100.32690 or later. Organizations should prioritize patching systems where local user access is prevalent or where privilege separation is critical to security posture. No effective workarounds exist as the vulnerability resides in core kernel components. Detailed patch information and installation guidance available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27927. Monitor systems for unusual elevation of privilege attempts or unexpected SYSTEM-level process creation from low-privilege user contexts during the patch deployment window.
Same weakness CWE-362 – Race Condition
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22479
GHSA-xmhh-m2j3-cr44