Skip to main content

Visual Studio Code EUVDEUVD-2026-35536

| CVE-2026-40376 HIGH
Improper Input Validation (CWE-20)
2026-06-09 secure@microsoft.com GHSA-rg3p-gp39-622w
8.1
CVSS 3.1 · NVD
Temporal: 6.5
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
6.5 MEDIUM
cvss
vuln.today AI
8.1 HIGH

Pre-auth network input handler (AV:N/PR:N/UI:N) with specialised timing/config prerequisites (AC:H) yielding full code-execution-class impact in the user's context (C:H/I:H/A:H, S:U).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 11, 2026 - 19:13 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 11, 2026 - 19:12 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 11, 2026 - 19:07 vuln.today
cvss_changed
CVSS changed
Jun 11, 2026 - 19:07 NVD
7.5 (HIGH) 8.1 (HIGH)
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 17:33 vuln.today

DescriptionNVD

Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.

AnalysisAI

Privilege escalation in Microsoft Visual Studio Code versions 1.0.0 through 1.119.0 allows remote unauthenticated attackers to elevate privileges over a network by exploiting improper input validation (CWE-20). Microsoft has released a patched build (1.119.1) and SSVC rates technical impact as total, though EPSS remains low at 0.09% with no public exploit identified at time of analysis.

Technical ContextAI

Visual Studio Code is Microsoft's cross-platform source-code editor built on the Electron framework, which combines Chromium and Node.js to execute web technologies with local OS privileges. The root cause is CWE-20 (Improper Input Validation), meaning the editor accepts data from a network-reachable surface without enforcing expected syntactic, semantic, or length constraints before passing it to a privileged operation. The single CPE microsoft:visual_studio_code:* confirms the desktop editor itself is in scope rather than a specific extension, and the 'Authentication Bypass' tag indicates the malformed input is processed before any identity check is enforced, allowing the attacker's input to reach privileged code paths intended for authenticated users.

RemediationAI

Vendor-released patch: Visual Studio Code 1.119.1 - upgrade all instances to 1.119.1 or later via the in-app auto-updater, MSI/DEB/RPM packages, or your endpoint management tool, using the Microsoft advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40376 as the authoritative reference. No vendor-supplied workaround is published; compensating controls until rollout completes include disabling Remote Tunnels (settings 'remote.tunnels.access') and Live Share on managed workstations to remove the externally reachable surface (trade-off: blocks remote pair programming and cloud-hosted dev workflows), restricting outbound connections from VS Code processes to known Microsoft endpoints via host firewall (may break marketplace updates if over-restricted), and requiring users to only open trusted workspaces under Workspace Trust (already default, but verify policy enforcement). Cross-reference VulDB entry https://vuldb.com/vuln/369591 for additional triage data.

CVE-2022-41034 HIGH POC
7.8 Oct 11

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authent

CVE-2022-30129 HIGH POC
8.8 May 10

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely e

CVE-2026-47281 CRITICAL
9.6 Jun 09

Privilege escalation in Microsoft Visual Studio Code allows remote unauthenticated attackers to elevate privileges over

CVE-2026-57102 HIGH
8.8 Jul 14

Security-feature bypass in Microsoft Visual Studio Code lets a remote attacker deliver functionality from an untrusted c

CVE-2026-41109 HIGH
8.8 May 12

Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and

CVE-2024-43488 CRITICAL
9.8 Oct 08

Missing authentication for critical function in Visual Studio Code extension for Arduino allows an unauthenticated attac

CVE-2026-50520 HIGH
8.4 Jul 14

Local code execution in Microsoft Visual Studio Code stems from a command injection flaw (CWE-77) that lets an attacker

CVE-2026-45482 HIGH
8.4 Jun 09

Security feature bypass via path traversal in GitHub Copilot and Visual Studio Code allows a local unauthorized attacker

CVE-2026-47292 HIGH
7.8 Jun 09

Local privilege elevation in Microsoft Visual Studio Code allows an unprivileged attacker to gain higher privileges on a

CVE-2026-41611 HIGH
7.8 May 12

Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthoriz

CVE-2026-21518 HIGH
8.8 Feb 10

GitHub Copilot and Visual Studio Code are vulnerable to command injection attacks that allow unauthenticated attackers t

CVE-2024-26165 HIGH
8.8 Mar 12

Visual Studio Code Elevation of Privilege Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely

Share

EUVD-2026-35536 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy