Skip to main content

Zoom Client CVE-2026-53410

| EUVDEUVD-2026-45045 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-07-16 security@zoom.us GHSA-vgcc-2r5p-6qvc
7.0
CVSS 3.1 · Vendor: zoom
Share

Severity by source

Vendor (zoom) PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local authenticated user (AV:L/PR:L) must win a timing-sensitive race (AC:H); winning yields SYSTEM-level EoP, so C:H/I:H/A:H with unchanged scope.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zoom).

CVSS VectorVendor: zoom

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 21:32 vuln.today
CVE Published
Jul 16, 2026 - 21:17 cve.org
HIGH 7.0

DescriptionCVE.org

A time-of-check to time-of-use (TOCTOU) race condition in the installation and uninstallation process of certain Zoom Clients for Windows could allow an authenticated local user to escalate privileges.

AnalysisAI

Local privilege escalation in certain Zoom Clients for Windows lets an authenticated local user exploit a time-of-check to time-of-use (TOCTOU) race during install/uninstall to gain higher privileges (likely SYSTEM). The flaw was reported by Zoom's own security team and is documented in bulletin ZSB-26012; no public exploit identified at time of analysis and it is not on CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as local low-priv user
Delivery
Trigger or await Zoom install/uninstall
Exploit
Win TOCTOU race on validated resource
Execution
Redirect operation to attacker-controlled content
Persist
Privileged installer executes as SYSTEM
Impact
Escalate to full host control

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated local user (PR:L) with the ability to run code on the target Windows host and to interact with the filesystem while a Zoom Client installation or uninstallation is in progress - the install/uninstall flow is the exact feature that must be executing for the TOCTOU window to exist. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H = 7.0 High) tells a consistent story: an already-authenticated local user with low privileges can, if they win a timing-sensitive race (AC:H), achieve full confidentiality/integrity/availability impact on the host. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A logged-in standard user on a shared or corporate Windows workstation triggers (or waits for) a Zoom install or uninstall that runs with elevated privileges, then races the setup process - swapping a file or redirecting a path between the privileged process's validity check and its use - to have the elevated process act on attacker-controlled content and execute code as SYSTEM. Because AC:H reflects a timing-sensitive race, the attacker likely automates repeated attempts to win the window. …
Remediation Update to the fixed Zoom Client for Windows release identified in Zoom Security Bulletin ZSB-26012 (https://www.zoom.com/en/trust/security-bulletin/zsb-26012); the exact fixed version is not present in the provided data, so confirm it directly from that advisory before deploying - Patch available per vendor advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all Zoom Client for Windows deployments and versions across your environment, and audit physical and logical access controls for systems running Zoom to identify shared-access or publicly-accessible endpoints. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53410 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy