Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (CSA).
CVSS VectorVendor: CSA
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Successful exploitation of the race condition vulnerability could allow an attacker to trigger a kernel heap overflow, potentially leading to local privilege escalation and granting system-level access to the affected software.
AnalysisAI
A race condition in WinFsp enables local privilege escalation to SYSTEM through kernel heap overflow. Authenticated local attackers with low privileges can exploit this timing vulnerability to corrupt kernel memory and execute code at the highest privilege level. Patch available in WinFsp v2.2B1 per vendor release notes. EPSS data not available; no CISA KEV listing indicates exploitation not yet confirmed in the wild, though the vulnerability affects a Windows kernel-mode driver used for file system development.
Technical ContextAI
WinFsp (Windows File System Proxy) is a kernel-mode driver framework that allows developers to create user-mode file systems on Windows, similar to FUSE on Linux. This vulnerability stems from a race condition - a timing-dependent flaw where concurrent operations on shared kernel memory can lead to inconsistent state. When successfully exploited, the race window allows heap memory corruption in kernel space, specifically a heap-based buffer overflow. The CPE string identifies the vulnerable component as the WinFsp project itself across unspecified versions prior to the fix. Race conditions in kernel drivers are particularly dangerous because they operate with SYSTEM privileges and can be difficult to exploit reliably but devastating when successful. Without CWE classification, the root cause class is inferred as CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) combined with CWE-122 (Heap-based Buffer Overflow).
RemediationAI
Upgrade to WinFsp version 2.2B1 or later, available from the official GitHub release page at https://github.com/winfsp/winfsp/releases/tag/v2.2B1. The v2.2B1 release specifically addresses this race condition vulnerability. Installation requires administrative privileges and may necessitate system restart to replace the kernel driver. Organizations should test the update in non-production environments first, as kernel driver updates carry inherent stability risks. For systems where immediate patching is not feasible, implement compensating controls: restrict local user access to trusted accounts only, disable unnecessary user accounts with PR:L (low privilege) access, enable audit logging for privilege escalation attempts (Windows Event IDs 4672, 4673, 4674), and monitor for unusual kernel-mode driver loading. Note that these mitigations only reduce attack surface and do not eliminate the vulnerability - they trade operational flexibility for temporary risk reduction until patching is completed. Review the CSA advisory for any additional vendor-specific guidance.
Same weakness CWE-362 – Race Condition
View allSame technique Buffer Overflow
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25755