Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Time-of-check time-of-use (toctou) race condition in Windows LUAFV allows an authorized attacker to elevate privileges locally.
AnalysisAI
Windows LUAFV driver privilege escalation via TOCTOU race condition allows authenticated local attackers with low privileges to gain SYSTEM-level access across all supported Windows 10, Windows 11, and Windows Server versions (2012 through 2025). The vulnerability requires high attack complexity to exploit the narrow timing window between security checks and file operations. Vendor-released patch available across all affected platforms. No public exploit identified at time of analysis, though th
Technical ContextAI
Windows LUAFV (LUA File Virtualization) is a kernel-mode filter driver implementing User Account Control (UAC) file and registry virtualization for legacy applications running under standard user contexts. This CWE-367 time-of-check time-of-use race condition occurs when LUAFV performs security validation on a file object, but an attacker can modify the target between the authorization check and the actual file operation. The timing window allows substitution of a privileged resource (such as a system file or registry key) after LUAFV validates access but before the operation executes. Successful exploitation requires precise timing to win the race condition, accounting for the AC:H (high attack complexity) rating. The vulnerability affects the core Windows security boundary between standard user and elevated contexts, making it a critical local privilege escalation vector across CPE-identified products spanning Windows 10 1607 (released 2016) through Windows 11 26H1 and Windows Server 2025.
RemediationAI
Apply Microsoft security updates immediately to patch the LUAFV race condition. For Windows 10 1607, update to build 10.0.14393.9060 or later. For Windows 10 1809, update to build 10.0.17763.8644 or later. For Windows 10 21H2 and 22H2, update to builds 10.0.19044.7184 and 10.0.19045.7184 respectively. Windows 11 22H3 and 23H2 require build 10.0.22631.6936 or later, while 24H2 and 25H2 require builds 10.0.26100.32690 and 10.0.26200.8246 respectively. Windows 11 26H1 requires build 10.0.28000.1836 or later. Windows Server 2012 and 2012 R2 require builds 6.2.9200.26026 and 6.3.9600.23132 respectively. Windows Server 2016, 2019, 2022, and 2025 require builds 10.0.14393.9060, 10.0.17763.8644, 10.0.20348.5020, and 10.0.26100.32690 respectively. Deploy patches through Windows Update, WSUS, or SCCM following standard change management procedures. No effective workarounds exist for kernel-level TOCTOU conditions without disabling LUAFV entirely, which would break UAC virtualization for legacy applications. Detailed patch information available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27929.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22483
GHSA-fqv3-v28j-57fx