Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Local authenticated user (AV:L/PR:L) must win a timing-sensitive race (AC:H); winning yields SYSTEM-level EoP, so C:H/I:H/A:H with unchanged scope.
Primary rating from Vendor (zoom).
CVSS VectorVendor: zoom
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A time-of-check to time-of-use (TOCTOU) race condition in the installation and uninstallation process of certain Zoom Clients for Windows could allow an authenticated local user to escalate privileges.
AnalysisAI
Local privilege escalation in certain Zoom Clients for Windows lets an authenticated local user exploit a time-of-check to time-of-use (TOCTOU) race during install/uninstall to gain higher privileges (likely SYSTEM). The flaw was reported by Zoom's own security team and is documented in bulletin ZSB-26012; no public exploit identified at time of analysis and it is not on CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated local user (PR:L) with the ability to run code on the target Windows host and to interact with the filesystem while a Zoom Client installation or uninstallation is in progress - the install/uninstall flow is the exact feature that must be executing for the TOCTOU window to exist. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H = 7.0 High) tells a consistent story: an already-authenticated local user with low privileges can, if they win a timing-sensitive race (AC:H), achieve full confidentiality/integrity/availability impact on the host. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A logged-in standard user on a shared or corporate Windows workstation triggers (or waits for) a Zoom install or uninstall that runs with elevated privileges, then races the setup process - swapping a file or redirecting a path between the privileged process's validity check and its use - to have the elevated process act on attacker-controlled content and execute code as SYSTEM. Because AC:H reflects a timing-sensitive race, the attacker likely automates repeated attempts to win the window. … |
| Remediation | Update to the fixed Zoom Client for Windows release identified in Zoom Security Bulletin ZSB-26012 (https://www.zoom.com/en/trust/security-bulletin/zsb-26012); the exact fixed version is not present in the provided data, so confirm it directly from that advisory before deploying - Patch available per vendor advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all Zoom Client for Windows deployments and versions across your environment, and audit physical and logical access controls for systems running Zoom to identify shared-access or publicly-accessible endpoints. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45045
GHSA-vgcc-2r5p-6qvc