Memory Corruption
Monthly
Out-of-bounds write in the Zephyr RTOS ADIN2111/ADIN1110 single-pair Ethernet driver (eth_adin2111.c) lets an attacker on the same 10BASE-T1S/T1L segment corrupt kernel memory by sending an oversized frame in OPEN Alliance SPI mode. Because per-chunk length and chunk count (up to 255) come straight off the wire with no bounds check on the reassembly cursor, the RX offload thread writes attacker-controlled bytes-up to ~14.8 KB-past the fixed 1524-byte static buffer, enabling denial of service and potentially remote code execution. There is no public exploit identified at time of analysis; the flaw was introduced in commit 0ca8b0756b1 and shipped in v3.7.0 through v4.4.0.
Heap buffer over-read in the ngx_http_ssi_module of NGINX Open Source and NGINX Plus lets an unauthenticated man-in-the-middle attacker who can control upstream responses corrupt worker-process memory or crash the worker, but only in the non-default configuration combining Server-Side Includes, proxy_pass, and proxy_buffering off. The impact is confined to the data plane with no control-plane exposure, yielding limited memory modification and worker restarts (denial of service) rather than full code execution. No public exploit identified at time of analysis, though a vendor patch is available and the flaw carries a CVSS 4.0 score of 8.3.
Use-after-free in ImageMagick's FreeType integration path allows remote denial of service against image processing pipelines using vulnerable 6.x or 7.x releases. When FreeType initialization fails during an image processing operation, the affected code path neglects to exit cleanly and continues referencing already-freed memory, causing process corruption or crash. No public exploit identified at time of analysis; the CVSS 4.0 score of 6.3 with AC:H and AT:P reflects meaningful preconditions required to trigger the failure path.
Illustrator is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Illustrator is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Illustrator is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Arbitrary code execution in Adobe Bridge is possible through an out-of-bounds write (CWE-787) triggered when a victim opens a maliciously crafted file, running attacker code in the context of the current user. All versions covered by Adobe advisory APSB26-81 are affected, and while there is no public exploit identified at time of analysis, the local user-interaction attack pattern is consistent with weaponized document/asset lures. The CVSS 7.8 (High) rating reflects full confidentiality, integrity, and availability impact once a victim is socially engineered into opening the file.
Arbitrary code execution in Adobe Bridge results from an out-of-bounds write (CWE-787) that a victim triggers by opening a malicious file, running attacker-supplied code with the privileges of the current user. The flaw is local (AV:L) and requires user interaction, so it is a client-side, file-borne bug rather than a remotely reachable service vulnerability. No public exploit identified at time of analysis and it is not listed in CISA KEV; Adobe patched it in advisory APSB26-81.
Arbitrary code execution in Adobe Bridge is possible when a victim opens a maliciously crafted file, triggering an out-of-bounds write (CWE-787) that executes attacker-controlled code in the context of the current user. The flaw affects Adobe Bridge as reported by Adobe (advisory APSB26-81) and is rated CVSS 7.8; no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation is local and hinges entirely on user interaction - the victim must open the malicious file.
Use after free in UI in Google Chrome on Linux prior to 150.0.7871.125 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Inappropriate implementation in V8 in Google Chrome prior to 150.0.7871.125 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Use after free in Skia in Google Chrome prior to 150.0.7871.125 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Core in Google Chrome on Windows prior to 150.0.7871.125 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in GPU in Google Chrome on Android prior to 150.0.7871.125 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Ozone in Google Chrome prior to 150.0.7871.125 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Use after free in Ozone in Google Chrome on Linux prior to 150.0.7871.125 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Arbitrary code execution in Adobe After Effects arises from an out-of-bounds write (CWE-787) that runs in the context of the current user when a victim opens a maliciously crafted project or media file. Adobe (via advisory APSB26-78) confirms the flaw; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The 7.8 CVSS reflects high impact tempered by the local vector and required user interaction.
Arbitrary code execution in Adobe After Effects arises from an out-of-bounds write (CWE-787) triggered when a victim opens a maliciously crafted project or media file, running attacker code with the privileges of the current user. Adobe self-reported the flaw in advisory APSB26-78; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 7.8 (High) rating reflects high confidentiality, integrity, and availability impact but is gated by required user interaction and local file delivery.
Arbitrary code execution in Adobe Premiere Pro via an out-of-bounds write (CWE-787) that lets an attacker run code in the context of the current user when a victim opens a maliciously crafted project or media file. The flaw is memory-corruption based and file-driven, requiring user interaction rather than network exposure; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. EPSS data was not provided, but the local, user-interaction-gated vector places this in the file-format/client-side attack category typical of Adobe desktop products.
Arbitrary code execution in Adobe Premiere Pro is possible when a victim opens a maliciously crafted project or media file, triggering an out-of-bounds write (CWE-787) that runs attacker code in the context of the current user. The flaw was reported by Adobe (advisory APSB26-76) and carries a CVSS 3.1 base score of 7.8 (local vector, requires user interaction). There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so risk is currently driven by the ease of social-engineering a user into opening a booby-trapped file.
Arbitrary code execution in Adobe Media Encoder is possible through an out-of-bounds write triggered when a victim opens a maliciously crafted media file, running attacker code in the context of the current user. The flaw was reported by Adobe and is addressed in advisory APSB26-72; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation hinges on user interaction (opening the file) and yields high impact to confidentiality, integrity, and availability.
Arbitrary code execution in Adobe Media Encoder is possible when a victim opens a maliciously crafted media file, triggering an out-of-bounds write (CWE-787) that runs attacker code in the context of the current user. The flaw is local and requires user interaction, so it is not remotely wormable, but successful exploitation grants full compromise of the user's session. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Adobe published advisory APSB26-72 addressing the issue.
Arbitrary code execution in Adobe Media Encoder arises from an out-of-bounds write (CWE-787) that lets a crafted media file corrupt memory and run attacker-controlled code in the context of the current user. Any user who opens a malicious file in the affected desktop application is at risk, with full loss of confidentiality, integrity, and availability on the host. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary code execution in Adobe Audition arises from an out-of-bounds write (CWE-787) triggered when a victim opens a maliciously crafted media/project file, allowing an attacker to run code in the context of the current user. The flaw is Adobe-reported (advisory APSB26-71) and carries a CVSS 7.8 (High) rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation is local and requires user interaction, weaponization depends on social engineering rather than remote automated attack.
Arbitrary code execution in Adobe Audition arises from an out-of-bounds write (CWE-787) triggered when a victim opens a maliciously crafted media/project file, letting an attacker run code with the privileges of the current user. The CVSS 3.1 base score is 7.8 (local vector, requires user interaction), and no public exploit has been identified at time of analysis. Reported by Adobe via advisory APSB26-71.
Arbitrary code execution in Adobe Audition arises from an out-of-bounds write (memory corruption) that runs in the context of the current user when a victim opens a maliciously crafted media/project file. All affected versions covered by Adobe advisory APSB26-71 are impacted, and while no public exploit has been identified at time of analysis, the local attack vector with required user interaction makes it a classic file-format weaponization risk. The CVSS 7.8 (High) reflects full confidentiality, integrity, and availability impact once the file is opened.
Arbitrary code execution in Adobe Audition arises from an out-of-bounds write (CWE-787) triggered when a victim opens a maliciously crafted media/project file, letting an attacker run code in the context of the current user. The flaw was reported by Adobe and is documented in advisory APSB26-71; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation is local and requires user interaction, it is a file-format/client-side memory-corruption issue rather than a remotely-triggerable server flaw.
Arbitrary code execution in Adobe Audition arises from an out-of-bounds write (CWE-787) triggered when a user opens a maliciously crafted media/project file, letting an attacker run code with the privileges of the current user. Affects Adobe Audition and was reported by Adobe under advisory APSB26-71. No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS not provided.
Local privilege escalation in the Microsoft Windows Client-Side Caching (CSC) Service, driven by a use-after-free (CWE-416) memory-corruption flaw affecting Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. An authorized attacker who already holds low-level privileges (PR:L) on the host can trigger the freed-object reuse to gain elevated, likely SYSTEM-level, privileges. The issue was reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and no CISA KEV listing.
Local privilege escalation in the Windows 11 (version 26H1) Desktop Window Manager (DWM) allows an authenticated low-privileged user to gain SYSTEM-level control by exploiting a use-after-free (CWE-416) memory-corruption flaw. Reported by Microsoft and carrying a CVSS 3.1 score of 7.8, the flaw grants full confidentiality, integrity, and availability impact once triggered locally. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV, but DWM EoP bugs are a historically favored post-compromise primitive.
Local privilege escalation in the Desktop Window Manager (DWM) component of Windows 11 version 26H1 allows an authenticated local attacker to elevate to SYSTEM by triggering a use-after-free memory corruption condition. The CVSS 3.1 vector (AV:L/PR:L) confirms an already-authenticated low-privileged user is required, and full compromise of confidentiality, integrity, and availability follows successful exploitation. Microsoft has released a patch; there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Local privilege escalation in the Windows Win32K kernel-mode subsystem allows an authenticated attacker to elevate to SYSTEM by exploiting a use-after-free (CWE-416) memory-corruption condition. The flaw affects a broad range of supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025). Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows DirectX graphics subsystem allows an authenticated attacker with low privileges to elevate to SYSTEM by triggering a use-after-free (CWE-416) memory-corruption condition. The flaw affects a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.0 (High), tempered by high attack complexity.
Remote code execution in Windows Remote Desktop Services (RDS) allows an authenticated network attacker to run arbitrary code by triggering a use-after-free (CWE-416) memory corruption condition. The flaw affects a broad range of currently-supported Windows client and server builds - Windows 10 21H2/22H2, Windows 11 24H2/25H2/26H1, and Windows Server 2022/2025 (including Server Core). It was reported by Microsoft with a CVSS 8.8 rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network vector combined with only low-privilege requirements makes it a strong patch priority.
Local privilege escalation in Microsoft Windows Sensor Data Service arises from a use-after-free (CWE-416) memory corruption flaw that an already-authenticated attacker can trigger to run code at higher privilege. It affects a broad range of client and server builds (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025). Reported by Microsoft with a patch available; no public exploit identified at time of analysis, and the CVSS:3.1 score is 7.0 (High).
Local privilege escalation in the Windows Cloud Files Mini Filter Driver (cldflt.sys) lets an authenticated low-privileged user corrupt kernel memory to gain SYSTEM-level control. The flaw is a use-after-free (CWE-416) affecting a broad range of Windows client and server builds from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019-2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library allows an authenticated attacker to gain SYSTEM-level privileges by triggering a type-confusion (CWE-843) condition. The flaw affects a broad range of supported Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Reported internally by Microsoft with a vendor patch available; no public exploit identified at time of analysis.
Elevation of privilege in Microsoft Windows Management Services lets a low-privileged local user corrupt memory through a use-after-free (CWE-416) and gain higher privileges on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. A successful exploit yields high confidentiality, integrity, and availability impact, but the CVSS vector marks high attack complexity, reflecting the race-condition timing typically needed to win a use-after-free. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Cloud Files Mini Filter Driver (cldflt.sys) allows an authenticated low-privileged user to elevate to SYSTEM by triggering a use-after-free memory corruption condition. The flaw affects a broad range of Windows client and server releases (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019 through 2025) and was reported by Microsoft. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in Microsoft's NAT Helper Components (ipnathlp.dll), the driver behind Internet Connection Sharing and NAT translation on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. An authenticated attacker who already has low-privilege access can exploit a use-after-free memory corruption bug to run code at higher privilege (SYSTEM). No public exploit identified at time of analysis, and it is not listed in CISA KEV, but Microsoft has released a patch.
Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows a remote, unauthenticated attacker to crash or hang affected applications by triggering a type-confusion condition (CWE-843) over the network. The flaw was reported by Microsoft and a vendor patch is available via MSRC; there is no public exploit identified at time of analysis. The CVSS vector limits impact strictly to availability (A:H, C:N/I:N), meaning it is a service-disruption bug rather than a code-execution or data-exposure issue despite tag noise suggesting otherwise.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) allows an authenticated low-privileged user to elevate to SYSTEM by triggering a use-after-free (CWE-416) in the kernel-mode driver. All actively serviced Windows client (10 1607 through 11 26H1) and Server (2012 through 2025) editions are affected, and Microsoft has released patches. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Elevation of privilege in the Windows Hyper-V virtual network switch (VMSwitch) lets an authenticated attacker operating from a guest partition corrupt kernel memory via a use-after-free and gain higher privileges, with a scope change (S:C) indicating a guest-to-host escape. Rated CVSS 9.9 and affecting a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through 2025, this issue was reported by Microsoft and has a vendor patch available. No public exploit is identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in the Windows SMB Server network transport driver (srvnet.sys) lets an unauthenticated network attacker win a use-after-free race to run arbitrary code, affecting Windows 10, Windows 11, and Windows Server 2012 through 2025. Per its CVSS vector the flaw requires user interaction and high attack complexity, so exploitation is non-trivial rather than a trivial wormable hit. This was reported by Microsoft, a vendor patch is available, and there is no public exploit identified at time of analysis.
Local privilege escalation in the Microsoft Windows Kernel allows an authenticated attacker to elevate to SYSTEM by exploiting a use-after-free (CWE-416) memory corruption condition, spanning Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2016 through 2025. Reported by Microsoft with a CVSS 3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N), the flaw grants full confidentiality, integrity, and availability impact on the local system. No public exploit identified at time of analysis, and it is not listed in CISA KEV; a vendor patch is available.
Local privilege escalation in the Microsoft Windows Kernel (CWE-416 use-after-free) lets an already-authenticated low-privilege user corrupt kernel memory and gain SYSTEM-level control across a broad range of Windows 10, Windows 11, and Windows Server 2016 through 2025 builds. Microsoft self-reported the flaw and has shipped a patch through the Update Guide; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. With CVSS 7.8 (AV:L/PR:L) it is a classic Patch-Tuesday local EoP suitable as a second-stage primitive after initial access.
Local privilege escalation in the Windows MIDI Service Module affects Windows 11 versions 24H2, 25H2, and 26H1, where a use-after-free (CWE-416) memory corruption lets an already-authorized local user run code with elevated privileges. Microsoft rates it CVSS 7.0 and has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation is non-trivial due to high attack complexity and requires the attacker to already hold low-level local privileges.
Local privilege escalation in the Windows MIDI Service Module affects Windows 11 versions 24H2, 25H2, and 26H1, where a use-after-free (CWE-416) memory-corruption flaw lets an already-authenticated local user elevate to higher privileges. Exploitation requires winning a race condition (high attack complexity), and Microsoft has released a fix; no public exploit identified at time of analysis. Rated CVSS 7.0 with full confidentiality, integrity, and availability impact once triggered.
Local privilege elevation in the Windows WebView component affects a broad range of currently-supported Windows client and server builds (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019/2022/2025). By triggering a use-after-free (CWE-416) memory-corruption condition, an already-authenticated low-privilege attacker can execute code in a higher-privilege context, yielding full confidentiality, integrity, and availability impact on the local system. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation in Microsoft XML Core Services (MSXML) lets a low-privileged, authorized attacker on a Windows host reclaim a freed object (use-after-free, CWE-416) to run code at elevated privilege. It affects a broad Windows footprint spanning Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025, including Server Core installations. Microsoft reported the flaw, a patch is available, and there is no public exploit identified at time of analysis; CISA SSVC currently rates exploitation as none.
Arbitrary code execution in Microsoft Office Excel arises from a use-after-free (CWE-416) memory-corruption flaw affecting Microsoft 365 Apps for Enterprise, Office 2019, Office LTSC 2021/2024, Office for Mac, and Office Online Server. The CVSS 3.1 vector (AV:L/UI:R) makes this a user-interaction-dependent, locally-scoped issue: a victim must open a maliciously crafted Excel workbook, after which the attacker gains code execution in the user's security context. No public exploit is identified at time of analysis and it is not listed in CISA KEV, but a vendor patch is available.
Type confusion (CWE-843) in Microsoft SQL Server 2025 enables authenticated, low-privileged network attackers to disclose sensitive server-side information. The CVSS vector (AV:N/PR:L/C:H) confirms that any authorized database user - regardless of their data access permissions - can potentially trigger the flaw remotely with no user interaction required. No public exploit code or CISA KEV listing exists at time of analysis, but the high confidentiality impact and low access complexity make patching a meaningful priority for organizations running SQL Server 2025.
Local code execution in Microsoft Office Word (CWE-416 use-after-free) allows an unauthorized attacker to run arbitrary code in the context of the current user when a victim opens a maliciously crafted document. The flaw affects a broad Office footprint including Microsoft 365 Apps for Enterprise, Office 2019, Office LTSC 2021/2024 (Windows and Mac), and related SharePoint Server products that process Word documents. Microsoft has released a patch; no public exploit has been identified at time of analysis, and neither KEV nor EPSS/POC signals were provided in the input.
Local code execution in Microsoft Office Word (across Microsoft 365 Apps, Office 2019/LTSC 2021/2024, Office for Mac, and Word 2016) allows an attacker to run arbitrary code by exploiting a use-after-free memory corruption flaw when a victim opens a maliciously crafted document. The CVSS 3.1 base score is 7.8 with a local attack vector requiring user interaction; there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. Microsoft, which reported the issue itself, has released a patch.
Local code execution in Microsoft Excel (Microsoft 365 Apps, Office 2019/LTSC 2021/2024, Office for Mac, and Office Online Server) arises from a type-confusion flaw (CWE-843) in how Excel parses spreadsheet content. An attacker who convinces a victim to open a malicious workbook can run arbitrary code in the context of the current user, gaining high confidentiality, integrity, and availability impact. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local arbitrary code execution in Microsoft Office (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps for Enterprise, and Office for Mac 2021/2024) arises from a type-confusion flaw (CWE-843) that lets an attacker run code in the context of the current user when a victim opens a crafted file. The CVSS 3.1 base score is 7.8 (AV:L/AC:L/PR:N/UI:R) reflecting local vector with required user interaction and high impact to confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor patch is available via MSRC.
Local code execution in Microsoft Office (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps for Enterprise, and Office for Mac) stems from a use-after-free memory corruption (CWE-416) that an attacker triggers when a victim opens a maliciously crafted document. Rated CVSS 7.8 with high confidentiality, integrity, and availability impact, exploitation requires user interaction but no prior authentication, letting an attacker run arbitrary code in the context of the current user. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a fix, so patching should be prioritized during the normal Patch Tuesday cycle.
Local code execution in Microsoft Excel (Office 2016 through LTSC 2024, Microsoft 365 Apps, and Mac editions) allows an attacker to run arbitrary code by tricking a user into opening a maliciously crafted spreadsheet that triggers a type-confusion condition in Excel's file parser. The CVSS 3.1 score is 7.8 (High) with the local vector reflecting file-open exploitation rather than remote-network access, and success requires user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local code execution in Microsoft Office (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps, and Office for Mac 2021/2024) arises from a use-after-free memory corruption flaw that an attacker triggers by convincing a user to open a maliciously crafted Office document. Successful exploitation runs arbitrary code in the context of the current user, yielding full confidentiality, integrity, and availability impact on the host. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; Microsoft has published a patch via MSRC.
Local code execution in Microsoft Office (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps, and the macOS editions) arises from a use-after-free memory-corruption flaw (CWE-416) that lets an attacker run arbitrary code in the context of the current user after the victim opens a maliciously crafted document. The CVSS 3.1 base score is 7.8 (AV:L/AC:L/PR:N/UI:R) with high impact to confidentiality, integrity, and availability, and requires user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor patch is available via MSRC.
Local code execution in Microsoft Office Excel (across Microsoft 365 Apps for Enterprise, Office 2019, Office LTSC 2021/2024, and their macOS equivalents) arises from a use-after-free (CWE-416) memory-corruption flaw triggered when a user opens a maliciously crafted spreadsheet. The CVSS vector (AV:L/AC:L/PR:N/UI:R) indicates an unauthenticated attacker can achieve full confidentiality, integrity, and availability impact but requires the victim to open a file, making it a classic phishing-delivered client-side bug. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, though Excel memory-corruption bugs are historically attractive targets.
Local code execution in Microsoft Office (including Microsoft 365 Apps for Enterprise, Office 2016/2019, and Office LTSC 2021/2024) stems from a use-after-free memory-corruption flaw (CWE-416). An attacker who convinces a user to open a specially crafted Office document can execute arbitrary code in the context of the current user, gaining full confidentiality, integrity, and availability impact. Exploitation requires user interaction (opening a malicious file) and there is no public exploit identified at time of analysis.
Local code execution in the Windows DHCP Client service stems from a use-after-free (CWE-416) memory-corruption flaw affecting a broad range of Windows 10, Windows 11, and Windows Server releases (Server 2012 through Server 2025). Per the CVSS vector an unauthenticated attacker with local access can achieve high-impact code execution with no user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Microsoft has released a patch through the MSRC update guide.
Local privilege escalation in the Windows Clipboard Server (Cliprdr/RDP clipboard virtual channel service) affects a broad range of Windows 10, Windows 11, and Windows Server builds (from 1809 through 11 26H1 and Server 2025). An authenticated local attacker who can trigger a use-after-free (CWE-416) in the service can corrupt memory to run code at elevated (SYSTEM-level) privilege. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; Microsoft has released a patch.
Remote code execution in Microsoft Windows OLE (Object Linking and Embedding) allows an unauthorized network attacker to run arbitrary code by triggering a type-confusion condition (CWE-843) in the OLE component. The flaw affects a broad range of client and server SKUs from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 R2 through Server 2025, and carries a CVSS 8.1 (High) rating. No privileges or authentication are required per the CVSS vector, though the high attack complexity (AC:H) means exploitation depends on winning a specific timing or memory-state condition; there is no public exploit identified at time of analysis and it is not on CISA KEV.
Local privilege escalation in the Windows Kernel lets an already-authenticated, low-privileged attacker on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 corrupt kernel memory via a use-after-free and gain SYSTEM-level control. The CVSS 3.1 score of 8.8 is elevated by a scope change (S:C), reflecting that kernel compromise crosses the boundary from user context to the OS itself. Microsoft has released a patch; no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Local privilege escalation in the Microsoft Windows Kernel allows an authenticated attacker to gain SYSTEM-level control by exploiting a use-after-free (CWE-416) memory corruption condition. The flaw affects a broad range of Windows client and server builds - from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025 - and was reported by Microsoft with a patch available. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.8 (AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).
Local privilege escalation in Microsoft Windows Media (a component shipping in Windows 11 versions 24H2, 25H2, and 26H1) lets an authenticated local attacker execute code at elevated privilege by triggering a use-after-free (CWE-416) memory-corruption condition. Reported by Microsoft with a vendor patch available, it carries CVSS 7.8 (High) and can yield full confidentiality, integrity, and availability compromise of the host. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Microsoft's Windows USB Print Driver stems from a use-after-free (CWE-416) memory corruption flaw affecting Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. A low-privileged authenticated attacker who can execute code on the host and win a memory-timing race can corrupt kernel memory to gain higher (SYSTEM-level) privileges. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation is not currently observed in the wild.
Local privilege escalation in Microsoft Windows NTFS (New Technology File System) driver lets an already-authenticated low-privileged user corrupt kernel memory via a use-after-free (CWE-416) and elevate to SYSTEM. The flaw affects a broad Windows client and server matrix (Windows 10 1809 through Windows 11 26H1, Windows Server 2019/2022/2025). It has no public exploit identified at time of analysis and is not on CISA KEV, but as a Microsoft-reported, patched NTFS kernel bug it is a routine patch-priority item on standard Patch Tuesday cycles.
Privilege escalation in the Windows Remote Access Connection Manager (RasMan) service lets an authenticated, low-privileged attacker corrupt memory over the network to gain higher privileges on affected Windows 10, 11, and Server systems. The flaw is a CWE-416 use-after-free carrying a CVSS 8.8 with high impact to confidentiality, integrity, and availability. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in the Microsoft Windows Message Queuing (MSMQ) service arises from a use-after-free (CWE-416) memory-corruption flaw that an authenticated attacker can trigger across a network to run arbitrary code in the service context. It affects a broad range of supported Windows client and server releases from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025 wherever the MSMQ component is enabled. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft rates it CVSS 7.5 and has released a fix.
Local privilege escalation in the Windows Installer (msiexec) service across Windows 10, Windows 11, and Windows Server 2012 through 2025 allows an already-authenticated local user to gain higher privileges by triggering a use-after-free memory-corruption condition. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV, but Microsoft has published a patch. The high CVSS complexity (AC:H) indicates exploitation requires winning a race or meeting specific timing/heap conditions rather than being trivially reliable.
Privilege escalation in the Windows Netlogon service allows an already-authenticated, low-privileged network attacker to elevate to higher privileges by exploiting a use-after-free (CWE-416) memory-corruption condition. The flaw affects a broad range of Windows client and server releases from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025, including Server Core installations. Reported by Microsoft with a vendor patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Network-based privilege elevation in Microsoft Windows DNS (Windows 11 24H2/25H2/26H1 and Windows Server 2025) stems from a use-after-free memory corruption condition that an unauthenticated remote attacker can exploit to gain elevated privileges with full confidentiality, integrity, and availability impact. The flaw requires no prior authentication or user interaction (PR:N/UI:N) but carries high attack complexity (AC:H), meaning reliable exploitation depends on winning a race or satisfying a specific memory-state timing window. Microsoft self-reported the issue and has shipped a patch; no public exploit identified at time of analysis and it is not currently listed in CISA KEV.
Elevation of privilege in the Windows Runtime (WinRT) component affects Windows 10 (21H2/22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2025, where a use-after-free memory-corruption flaw lets an already-authenticated local user run code at higher privilege. Microsoft has released a patch and reported the issue; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV. Given the CVSS 7.8 (Important) rating and full C/I/A impact, this is a standard local privilege-escalation risk suited for regular patch prioritization rather than emergency response.
Local privilege escalation in the Windows Graphics Kernel component allows an authenticated attacker to elevate to SYSTEM by triggering a use-after-free (CWE-416) memory-corruption condition. All currently supported Windows client and server builds are affected - from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025. No public exploit identified at time of analysis; Microsoft has released a patch, and the CVSS 7.8 (Important) rating reflects high impact but a local-access, low-privilege prerequisite.
Local privilege escalation in the Microsoft Windows Kernel lets an authenticated attacker who already has low-privileged code execution on a host elevate to SYSTEM by exploiting a use-after-free (CWE-416) memory corruption. It affects a broad range of supported Windows client and server builds - Windows 10 (1809/21H2/22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2019/2022/2025 - and Microsoft has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation appears unproven publicly despite the reliably-exploitable nature of kernel UAF flaws.
Local privilege escalation in the Microsoft Windows Kernel arises from a use-after-free (CWE-416) memory-corruption flaw that lets an attacker running code on the machine gain higher privileges, potentially SYSTEM. It affects a broad range of current Windows client and server builds (Windows 10 21H2/22H2, Windows 11 24H2/25H2/26H1, Windows Server 2022/2025). No public exploit identified at time of analysis, but the local attack surface and full CIA impact make it a standard Patch-Tuesday-class kernel EoP worth prompt patching.
Local privilege escalation in the Windows Backup Engine affects Windows 10 (21H2, 22H2) and Windows 11 (24H2, 25H2, 26H1), where a use-after-free (CWE-416) memory-corruption flaw lets an already-authorized local user with low privileges elevate to higher rights. No public exploit identified at time of analysis, and it is not listed in CISA KEV; Microsoft rates it 7.0 (High), reflecting meaningful impact tempered by high attack complexity. Successful exploitation grants full confidentiality, integrity, and availability impact on the affected host.
Local privilege escalation in Microsoft Windows (Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through 2025) arises from a use-after-free memory-corruption flaw (CWE-416) that lets an already-authenticated local user run code at elevated privilege. The CVSS 3.1 base score is 7.8 with a scope-changed vector, and Microsoft has shipped a fix via MSRC. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, so exploitation is currently theoretical rather than observed.
Local privilege escalation in the Windows Brokering File System affects Windows 11 24H2/25H2/26H1 and Windows Server 2025, where a use-after-free (CWE-416) lets an already-authenticated local user corrupt memory to elevate to higher privileges (typically SYSTEM). Microsoft has released a patch and rates it 7.8 (High). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in Microsoft's Remote Desktop Client (the RDP client, mstsc.exe, shipped across Windows 10, Windows 11, and Windows Server 2012 through 2025) allows an unauthorized attacker to run arbitrary code over the network by triggering a use-after-free memory-corruption condition. Exploitation requires the victim to connect to an attacker-controlled or compromised RDP endpoint (UI:R), after which the malicious server can corrupt client-side memory to achieve full code execution. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV; a vendor patch is available from Microsoft.
Use after free in Windows Virtual Filtering Platform (VFP) allows an authorized attacker to deny service over a network.
Local privilege escalation in the Windows Runtime (WinRT) component of Windows 10, Windows 11, and Windows Server allows an authenticated attacker to run arbitrary code with elevated (SYSTEM-level) privileges by triggering a use-after-free memory-corruption condition (CWE-416). Microsoft has released a patch, but there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. The CVSS 3.1 score of 7.8 (High) with a fully local vector reflects meaningful post-compromise impact but requires the attacker to already have a foothold on the host.
Remote code execution in the Microsoft Message Queuing (MSMQ) Queue Manager affects a broad range of Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. An unauthenticated network attacker who can reach the MSMQ service (TCP 1801) can trigger a use-after-free (CWE-416) in the Queue Manager to execute arbitrary code in the service context. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the high CVSS (8.1), network attack vector, and lack of any authentication requirement make patched deployment urgent; exploitation is tempered by the High attack complexity (AC:H).
Local privilege escalation in the Windows Brokering File System component affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a use-after-free memory corruption (CWE-416) lets an already-authenticated local user elevate to higher privileges. Microsoft rates it CVSS 7.8 with full confidentiality, integrity, and availability impact, and has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges with a physical attack.
Local privilege escalation in the Windows Connected User Experiences and Telemetry service (DiagTrack) lets an already-authenticated user run arbitrary code with SYSTEM-level rights by triggering a CWE-843 type-confusion condition. The flaw affects a broad range of currently-supported Windows client and server builds, from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Microsoft Windows Content Delivery Manager component lets an authenticated low-privileged user elevate to SYSTEM by triggering a use-after-free (CWE-416) memory-corruption condition. The flaw affects a broad range of client and server builds (Windows 10 1809 through Windows 11 26H1, plus Server 2019 and Server 2025), and Microsoft has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Out-of-bounds write in the Zephyr RTOS ADIN2111/ADIN1110 single-pair Ethernet driver (eth_adin2111.c) lets an attacker on the same 10BASE-T1S/T1L segment corrupt kernel memory by sending an oversized frame in OPEN Alliance SPI mode. Because per-chunk length and chunk count (up to 255) come straight off the wire with no bounds check on the reassembly cursor, the RX offload thread writes attacker-controlled bytes-up to ~14.8 KB-past the fixed 1524-byte static buffer, enabling denial of service and potentially remote code execution. There is no public exploit identified at time of analysis; the flaw was introduced in commit 0ca8b0756b1 and shipped in v3.7.0 through v4.4.0.
Heap buffer over-read in the ngx_http_ssi_module of NGINX Open Source and NGINX Plus lets an unauthenticated man-in-the-middle attacker who can control upstream responses corrupt worker-process memory or crash the worker, but only in the non-default configuration combining Server-Side Includes, proxy_pass, and proxy_buffering off. The impact is confined to the data plane with no control-plane exposure, yielding limited memory modification and worker restarts (denial of service) rather than full code execution. No public exploit identified at time of analysis, though a vendor patch is available and the flaw carries a CVSS 4.0 score of 8.3.
Use-after-free in ImageMagick's FreeType integration path allows remote denial of service against image processing pipelines using vulnerable 6.x or 7.x releases. When FreeType initialization fails during an image processing operation, the affected code path neglects to exit cleanly and continues referencing already-freed memory, causing process corruption or crash. No public exploit identified at time of analysis; the CVSS 4.0 score of 6.3 with AC:H and AT:P reflects meaningful preconditions required to trigger the failure path.
Illustrator is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Illustrator is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Illustrator is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Arbitrary code execution in Adobe Bridge is possible through an out-of-bounds write (CWE-787) triggered when a victim opens a maliciously crafted file, running attacker code in the context of the current user. All versions covered by Adobe advisory APSB26-81 are affected, and while there is no public exploit identified at time of analysis, the local user-interaction attack pattern is consistent with weaponized document/asset lures. The CVSS 7.8 (High) rating reflects full confidentiality, integrity, and availability impact once a victim is socially engineered into opening the file.
Arbitrary code execution in Adobe Bridge results from an out-of-bounds write (CWE-787) that a victim triggers by opening a malicious file, running attacker-supplied code with the privileges of the current user. The flaw is local (AV:L) and requires user interaction, so it is a client-side, file-borne bug rather than a remotely reachable service vulnerability. No public exploit identified at time of analysis and it is not listed in CISA KEV; Adobe patched it in advisory APSB26-81.
Arbitrary code execution in Adobe Bridge is possible when a victim opens a maliciously crafted file, triggering an out-of-bounds write (CWE-787) that executes attacker-controlled code in the context of the current user. The flaw affects Adobe Bridge as reported by Adobe (advisory APSB26-81) and is rated CVSS 7.8; no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation is local and hinges entirely on user interaction - the victim must open the malicious file.
Use after free in UI in Google Chrome on Linux prior to 150.0.7871.125 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Inappropriate implementation in V8 in Google Chrome prior to 150.0.7871.125 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Use after free in Skia in Google Chrome prior to 150.0.7871.125 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Core in Google Chrome on Windows prior to 150.0.7871.125 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in GPU in Google Chrome on Android prior to 150.0.7871.125 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Ozone in Google Chrome prior to 150.0.7871.125 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Use after free in Ozone in Google Chrome on Linux prior to 150.0.7871.125 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Arbitrary code execution in Adobe After Effects arises from an out-of-bounds write (CWE-787) that runs in the context of the current user when a victim opens a maliciously crafted project or media file. Adobe (via advisory APSB26-78) confirms the flaw; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The 7.8 CVSS reflects high impact tempered by the local vector and required user interaction.
Arbitrary code execution in Adobe After Effects arises from an out-of-bounds write (CWE-787) triggered when a victim opens a maliciously crafted project or media file, running attacker code with the privileges of the current user. Adobe self-reported the flaw in advisory APSB26-78; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 7.8 (High) rating reflects high confidentiality, integrity, and availability impact but is gated by required user interaction and local file delivery.
Arbitrary code execution in Adobe Premiere Pro via an out-of-bounds write (CWE-787) that lets an attacker run code in the context of the current user when a victim opens a maliciously crafted project or media file. The flaw is memory-corruption based and file-driven, requiring user interaction rather than network exposure; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. EPSS data was not provided, but the local, user-interaction-gated vector places this in the file-format/client-side attack category typical of Adobe desktop products.
Arbitrary code execution in Adobe Premiere Pro is possible when a victim opens a maliciously crafted project or media file, triggering an out-of-bounds write (CWE-787) that runs attacker code in the context of the current user. The flaw was reported by Adobe (advisory APSB26-76) and carries a CVSS 3.1 base score of 7.8 (local vector, requires user interaction). There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so risk is currently driven by the ease of social-engineering a user into opening a booby-trapped file.
Arbitrary code execution in Adobe Media Encoder is possible through an out-of-bounds write triggered when a victim opens a maliciously crafted media file, running attacker code in the context of the current user. The flaw was reported by Adobe and is addressed in advisory APSB26-72; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation hinges on user interaction (opening the file) and yields high impact to confidentiality, integrity, and availability.
Arbitrary code execution in Adobe Media Encoder is possible when a victim opens a maliciously crafted media file, triggering an out-of-bounds write (CWE-787) that runs attacker code in the context of the current user. The flaw is local and requires user interaction, so it is not remotely wormable, but successful exploitation grants full compromise of the user's session. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Adobe published advisory APSB26-72 addressing the issue.
Arbitrary code execution in Adobe Media Encoder arises from an out-of-bounds write (CWE-787) that lets a crafted media file corrupt memory and run attacker-controlled code in the context of the current user. Any user who opens a malicious file in the affected desktop application is at risk, with full loss of confidentiality, integrity, and availability on the host. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary code execution in Adobe Audition arises from an out-of-bounds write (CWE-787) triggered when a victim opens a maliciously crafted media/project file, allowing an attacker to run code in the context of the current user. The flaw is Adobe-reported (advisory APSB26-71) and carries a CVSS 7.8 (High) rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation is local and requires user interaction, weaponization depends on social engineering rather than remote automated attack.
Arbitrary code execution in Adobe Audition arises from an out-of-bounds write (CWE-787) triggered when a victim opens a maliciously crafted media/project file, letting an attacker run code with the privileges of the current user. The CVSS 3.1 base score is 7.8 (local vector, requires user interaction), and no public exploit has been identified at time of analysis. Reported by Adobe via advisory APSB26-71.
Arbitrary code execution in Adobe Audition arises from an out-of-bounds write (memory corruption) that runs in the context of the current user when a victim opens a maliciously crafted media/project file. All affected versions covered by Adobe advisory APSB26-71 are impacted, and while no public exploit has been identified at time of analysis, the local attack vector with required user interaction makes it a classic file-format weaponization risk. The CVSS 7.8 (High) reflects full confidentiality, integrity, and availability impact once the file is opened.
Arbitrary code execution in Adobe Audition arises from an out-of-bounds write (CWE-787) triggered when a victim opens a maliciously crafted media/project file, letting an attacker run code in the context of the current user. The flaw was reported by Adobe and is documented in advisory APSB26-71; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation is local and requires user interaction, it is a file-format/client-side memory-corruption issue rather than a remotely-triggerable server flaw.
Arbitrary code execution in Adobe Audition arises from an out-of-bounds write (CWE-787) triggered when a user opens a maliciously crafted media/project file, letting an attacker run code with the privileges of the current user. Affects Adobe Audition and was reported by Adobe under advisory APSB26-71. No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS not provided.
Local privilege escalation in the Microsoft Windows Client-Side Caching (CSC) Service, driven by a use-after-free (CWE-416) memory-corruption flaw affecting Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. An authorized attacker who already holds low-level privileges (PR:L) on the host can trigger the freed-object reuse to gain elevated, likely SYSTEM-level, privileges. The issue was reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and no CISA KEV listing.
Local privilege escalation in the Windows 11 (version 26H1) Desktop Window Manager (DWM) allows an authenticated low-privileged user to gain SYSTEM-level control by exploiting a use-after-free (CWE-416) memory-corruption flaw. Reported by Microsoft and carrying a CVSS 3.1 score of 7.8, the flaw grants full confidentiality, integrity, and availability impact once triggered locally. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV, but DWM EoP bugs are a historically favored post-compromise primitive.
Local privilege escalation in the Desktop Window Manager (DWM) component of Windows 11 version 26H1 allows an authenticated local attacker to elevate to SYSTEM by triggering a use-after-free memory corruption condition. The CVSS 3.1 vector (AV:L/PR:L) confirms an already-authenticated low-privileged user is required, and full compromise of confidentiality, integrity, and availability follows successful exploitation. Microsoft has released a patch; there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Local privilege escalation in the Windows Win32K kernel-mode subsystem allows an authenticated attacker to elevate to SYSTEM by exploiting a use-after-free (CWE-416) memory-corruption condition. The flaw affects a broad range of supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025). Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows DirectX graphics subsystem allows an authenticated attacker with low privileges to elevate to SYSTEM by triggering a use-after-free (CWE-416) memory-corruption condition. The flaw affects a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.0 (High), tempered by high attack complexity.
Remote code execution in Windows Remote Desktop Services (RDS) allows an authenticated network attacker to run arbitrary code by triggering a use-after-free (CWE-416) memory corruption condition. The flaw affects a broad range of currently-supported Windows client and server builds - Windows 10 21H2/22H2, Windows 11 24H2/25H2/26H1, and Windows Server 2022/2025 (including Server Core). It was reported by Microsoft with a CVSS 8.8 rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network vector combined with only low-privilege requirements makes it a strong patch priority.
Local privilege escalation in Microsoft Windows Sensor Data Service arises from a use-after-free (CWE-416) memory corruption flaw that an already-authenticated attacker can trigger to run code at higher privilege. It affects a broad range of client and server builds (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025). Reported by Microsoft with a patch available; no public exploit identified at time of analysis, and the CVSS:3.1 score is 7.0 (High).
Local privilege escalation in the Windows Cloud Files Mini Filter Driver (cldflt.sys) lets an authenticated low-privileged user corrupt kernel memory to gain SYSTEM-level control. The flaw is a use-after-free (CWE-416) affecting a broad range of Windows client and server builds from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019-2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library allows an authenticated attacker to gain SYSTEM-level privileges by triggering a type-confusion (CWE-843) condition. The flaw affects a broad range of supported Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Reported internally by Microsoft with a vendor patch available; no public exploit identified at time of analysis.
Elevation of privilege in Microsoft Windows Management Services lets a low-privileged local user corrupt memory through a use-after-free (CWE-416) and gain higher privileges on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. A successful exploit yields high confidentiality, integrity, and availability impact, but the CVSS vector marks high attack complexity, reflecting the race-condition timing typically needed to win a use-after-free. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Cloud Files Mini Filter Driver (cldflt.sys) allows an authenticated low-privileged user to elevate to SYSTEM by triggering a use-after-free memory corruption condition. The flaw affects a broad range of Windows client and server releases (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019 through 2025) and was reported by Microsoft. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in Microsoft's NAT Helper Components (ipnathlp.dll), the driver behind Internet Connection Sharing and NAT translation on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. An authenticated attacker who already has low-privilege access can exploit a use-after-free memory corruption bug to run code at higher privilege (SYSTEM). No public exploit identified at time of analysis, and it is not listed in CISA KEV, but Microsoft has released a patch.
Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows a remote, unauthenticated attacker to crash or hang affected applications by triggering a type-confusion condition (CWE-843) over the network. The flaw was reported by Microsoft and a vendor patch is available via MSRC; there is no public exploit identified at time of analysis. The CVSS vector limits impact strictly to availability (A:H, C:N/I:N), meaning it is a service-disruption bug rather than a code-execution or data-exposure issue despite tag noise suggesting otherwise.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) allows an authenticated low-privileged user to elevate to SYSTEM by triggering a use-after-free (CWE-416) in the kernel-mode driver. All actively serviced Windows client (10 1607 through 11 26H1) and Server (2012 through 2025) editions are affected, and Microsoft has released patches. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Elevation of privilege in the Windows Hyper-V virtual network switch (VMSwitch) lets an authenticated attacker operating from a guest partition corrupt kernel memory via a use-after-free and gain higher privileges, with a scope change (S:C) indicating a guest-to-host escape. Rated CVSS 9.9 and affecting a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through 2025, this issue was reported by Microsoft and has a vendor patch available. No public exploit is identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in the Windows SMB Server network transport driver (srvnet.sys) lets an unauthenticated network attacker win a use-after-free race to run arbitrary code, affecting Windows 10, Windows 11, and Windows Server 2012 through 2025. Per its CVSS vector the flaw requires user interaction and high attack complexity, so exploitation is non-trivial rather than a trivial wormable hit. This was reported by Microsoft, a vendor patch is available, and there is no public exploit identified at time of analysis.
Local privilege escalation in the Microsoft Windows Kernel allows an authenticated attacker to elevate to SYSTEM by exploiting a use-after-free (CWE-416) memory corruption condition, spanning Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2016 through 2025. Reported by Microsoft with a CVSS 3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N), the flaw grants full confidentiality, integrity, and availability impact on the local system. No public exploit identified at time of analysis, and it is not listed in CISA KEV; a vendor patch is available.
Local privilege escalation in the Microsoft Windows Kernel (CWE-416 use-after-free) lets an already-authenticated low-privilege user corrupt kernel memory and gain SYSTEM-level control across a broad range of Windows 10, Windows 11, and Windows Server 2016 through 2025 builds. Microsoft self-reported the flaw and has shipped a patch through the Update Guide; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. With CVSS 7.8 (AV:L/PR:L) it is a classic Patch-Tuesday local EoP suitable as a second-stage primitive after initial access.
Local privilege escalation in the Windows MIDI Service Module affects Windows 11 versions 24H2, 25H2, and 26H1, where a use-after-free (CWE-416) memory corruption lets an already-authorized local user run code with elevated privileges. Microsoft rates it CVSS 7.0 and has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation is non-trivial due to high attack complexity and requires the attacker to already hold low-level local privileges.
Local privilege escalation in the Windows MIDI Service Module affects Windows 11 versions 24H2, 25H2, and 26H1, where a use-after-free (CWE-416) memory-corruption flaw lets an already-authenticated local user elevate to higher privileges. Exploitation requires winning a race condition (high attack complexity), and Microsoft has released a fix; no public exploit identified at time of analysis. Rated CVSS 7.0 with full confidentiality, integrity, and availability impact once triggered.
Local privilege elevation in the Windows WebView component affects a broad range of currently-supported Windows client and server builds (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019/2022/2025). By triggering a use-after-free (CWE-416) memory-corruption condition, an already-authenticated low-privilege attacker can execute code in a higher-privilege context, yielding full confidentiality, integrity, and availability impact on the local system. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation in Microsoft XML Core Services (MSXML) lets a low-privileged, authorized attacker on a Windows host reclaim a freed object (use-after-free, CWE-416) to run code at elevated privilege. It affects a broad Windows footprint spanning Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025, including Server Core installations. Microsoft reported the flaw, a patch is available, and there is no public exploit identified at time of analysis; CISA SSVC currently rates exploitation as none.
Arbitrary code execution in Microsoft Office Excel arises from a use-after-free (CWE-416) memory-corruption flaw affecting Microsoft 365 Apps for Enterprise, Office 2019, Office LTSC 2021/2024, Office for Mac, and Office Online Server. The CVSS 3.1 vector (AV:L/UI:R) makes this a user-interaction-dependent, locally-scoped issue: a victim must open a maliciously crafted Excel workbook, after which the attacker gains code execution in the user's security context. No public exploit is identified at time of analysis and it is not listed in CISA KEV, but a vendor patch is available.
Type confusion (CWE-843) in Microsoft SQL Server 2025 enables authenticated, low-privileged network attackers to disclose sensitive server-side information. The CVSS vector (AV:N/PR:L/C:H) confirms that any authorized database user - regardless of their data access permissions - can potentially trigger the flaw remotely with no user interaction required. No public exploit code or CISA KEV listing exists at time of analysis, but the high confidentiality impact and low access complexity make patching a meaningful priority for organizations running SQL Server 2025.
Local code execution in Microsoft Office Word (CWE-416 use-after-free) allows an unauthorized attacker to run arbitrary code in the context of the current user when a victim opens a maliciously crafted document. The flaw affects a broad Office footprint including Microsoft 365 Apps for Enterprise, Office 2019, Office LTSC 2021/2024 (Windows and Mac), and related SharePoint Server products that process Word documents. Microsoft has released a patch; no public exploit has been identified at time of analysis, and neither KEV nor EPSS/POC signals were provided in the input.
Local code execution in Microsoft Office Word (across Microsoft 365 Apps, Office 2019/LTSC 2021/2024, Office for Mac, and Word 2016) allows an attacker to run arbitrary code by exploiting a use-after-free memory corruption flaw when a victim opens a maliciously crafted document. The CVSS 3.1 base score is 7.8 with a local attack vector requiring user interaction; there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. Microsoft, which reported the issue itself, has released a patch.
Local code execution in Microsoft Excel (Microsoft 365 Apps, Office 2019/LTSC 2021/2024, Office for Mac, and Office Online Server) arises from a type-confusion flaw (CWE-843) in how Excel parses spreadsheet content. An attacker who convinces a victim to open a malicious workbook can run arbitrary code in the context of the current user, gaining high confidentiality, integrity, and availability impact. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local arbitrary code execution in Microsoft Office (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps for Enterprise, and Office for Mac 2021/2024) arises from a type-confusion flaw (CWE-843) that lets an attacker run code in the context of the current user when a victim opens a crafted file. The CVSS 3.1 base score is 7.8 (AV:L/AC:L/PR:N/UI:R) reflecting local vector with required user interaction and high impact to confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor patch is available via MSRC.
Local code execution in Microsoft Office (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps for Enterprise, and Office for Mac) stems from a use-after-free memory corruption (CWE-416) that an attacker triggers when a victim opens a maliciously crafted document. Rated CVSS 7.8 with high confidentiality, integrity, and availability impact, exploitation requires user interaction but no prior authentication, letting an attacker run arbitrary code in the context of the current user. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a fix, so patching should be prioritized during the normal Patch Tuesday cycle.
Local code execution in Microsoft Excel (Office 2016 through LTSC 2024, Microsoft 365 Apps, and Mac editions) allows an attacker to run arbitrary code by tricking a user into opening a maliciously crafted spreadsheet that triggers a type-confusion condition in Excel's file parser. The CVSS 3.1 score is 7.8 (High) with the local vector reflecting file-open exploitation rather than remote-network access, and success requires user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local code execution in Microsoft Office (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps, and Office for Mac 2021/2024) arises from a use-after-free memory corruption flaw that an attacker triggers by convincing a user to open a maliciously crafted Office document. Successful exploitation runs arbitrary code in the context of the current user, yielding full confidentiality, integrity, and availability impact on the host. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; Microsoft has published a patch via MSRC.
Local code execution in Microsoft Office (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps, and the macOS editions) arises from a use-after-free memory-corruption flaw (CWE-416) that lets an attacker run arbitrary code in the context of the current user after the victim opens a maliciously crafted document. The CVSS 3.1 base score is 7.8 (AV:L/AC:L/PR:N/UI:R) with high impact to confidentiality, integrity, and availability, and requires user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor patch is available via MSRC.
Local code execution in Microsoft Office Excel (across Microsoft 365 Apps for Enterprise, Office 2019, Office LTSC 2021/2024, and their macOS equivalents) arises from a use-after-free (CWE-416) memory-corruption flaw triggered when a user opens a maliciously crafted spreadsheet. The CVSS vector (AV:L/AC:L/PR:N/UI:R) indicates an unauthenticated attacker can achieve full confidentiality, integrity, and availability impact but requires the victim to open a file, making it a classic phishing-delivered client-side bug. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, though Excel memory-corruption bugs are historically attractive targets.
Local code execution in Microsoft Office (including Microsoft 365 Apps for Enterprise, Office 2016/2019, and Office LTSC 2021/2024) stems from a use-after-free memory-corruption flaw (CWE-416). An attacker who convinces a user to open a specially crafted Office document can execute arbitrary code in the context of the current user, gaining full confidentiality, integrity, and availability impact. Exploitation requires user interaction (opening a malicious file) and there is no public exploit identified at time of analysis.
Local code execution in the Windows DHCP Client service stems from a use-after-free (CWE-416) memory-corruption flaw affecting a broad range of Windows 10, Windows 11, and Windows Server releases (Server 2012 through Server 2025). Per the CVSS vector an unauthenticated attacker with local access can achieve high-impact code execution with no user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Microsoft has released a patch through the MSRC update guide.
Local privilege escalation in the Windows Clipboard Server (Cliprdr/RDP clipboard virtual channel service) affects a broad range of Windows 10, Windows 11, and Windows Server builds (from 1809 through 11 26H1 and Server 2025). An authenticated local attacker who can trigger a use-after-free (CWE-416) in the service can corrupt memory to run code at elevated (SYSTEM-level) privilege. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; Microsoft has released a patch.
Remote code execution in Microsoft Windows OLE (Object Linking and Embedding) allows an unauthorized network attacker to run arbitrary code by triggering a type-confusion condition (CWE-843) in the OLE component. The flaw affects a broad range of client and server SKUs from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 R2 through Server 2025, and carries a CVSS 8.1 (High) rating. No privileges or authentication are required per the CVSS vector, though the high attack complexity (AC:H) means exploitation depends on winning a specific timing or memory-state condition; there is no public exploit identified at time of analysis and it is not on CISA KEV.
Local privilege escalation in the Windows Kernel lets an already-authenticated, low-privileged attacker on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 corrupt kernel memory via a use-after-free and gain SYSTEM-level control. The CVSS 3.1 score of 8.8 is elevated by a scope change (S:C), reflecting that kernel compromise crosses the boundary from user context to the OS itself. Microsoft has released a patch; no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Local privilege escalation in the Microsoft Windows Kernel allows an authenticated attacker to gain SYSTEM-level control by exploiting a use-after-free (CWE-416) memory corruption condition. The flaw affects a broad range of Windows client and server builds - from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025 - and was reported by Microsoft with a patch available. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.8 (AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).
Local privilege escalation in Microsoft Windows Media (a component shipping in Windows 11 versions 24H2, 25H2, and 26H1) lets an authenticated local attacker execute code at elevated privilege by triggering a use-after-free (CWE-416) memory-corruption condition. Reported by Microsoft with a vendor patch available, it carries CVSS 7.8 (High) and can yield full confidentiality, integrity, and availability compromise of the host. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Microsoft's Windows USB Print Driver stems from a use-after-free (CWE-416) memory corruption flaw affecting Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. A low-privileged authenticated attacker who can execute code on the host and win a memory-timing race can corrupt kernel memory to gain higher (SYSTEM-level) privileges. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation is not currently observed in the wild.
Local privilege escalation in Microsoft Windows NTFS (New Technology File System) driver lets an already-authenticated low-privileged user corrupt kernel memory via a use-after-free (CWE-416) and elevate to SYSTEM. The flaw affects a broad Windows client and server matrix (Windows 10 1809 through Windows 11 26H1, Windows Server 2019/2022/2025). It has no public exploit identified at time of analysis and is not on CISA KEV, but as a Microsoft-reported, patched NTFS kernel bug it is a routine patch-priority item on standard Patch Tuesday cycles.
Privilege escalation in the Windows Remote Access Connection Manager (RasMan) service lets an authenticated, low-privileged attacker corrupt memory over the network to gain higher privileges on affected Windows 10, 11, and Server systems. The flaw is a CWE-416 use-after-free carrying a CVSS 8.8 with high impact to confidentiality, integrity, and availability. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in the Microsoft Windows Message Queuing (MSMQ) service arises from a use-after-free (CWE-416) memory-corruption flaw that an authenticated attacker can trigger across a network to run arbitrary code in the service context. It affects a broad range of supported Windows client and server releases from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025 wherever the MSMQ component is enabled. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft rates it CVSS 7.5 and has released a fix.
Local privilege escalation in the Windows Installer (msiexec) service across Windows 10, Windows 11, and Windows Server 2012 through 2025 allows an already-authenticated local user to gain higher privileges by triggering a use-after-free memory-corruption condition. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV, but Microsoft has published a patch. The high CVSS complexity (AC:H) indicates exploitation requires winning a race or meeting specific timing/heap conditions rather than being trivially reliable.
Privilege escalation in the Windows Netlogon service allows an already-authenticated, low-privileged network attacker to elevate to higher privileges by exploiting a use-after-free (CWE-416) memory-corruption condition. The flaw affects a broad range of Windows client and server releases from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025, including Server Core installations. Reported by Microsoft with a vendor patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Network-based privilege elevation in Microsoft Windows DNS (Windows 11 24H2/25H2/26H1 and Windows Server 2025) stems from a use-after-free memory corruption condition that an unauthenticated remote attacker can exploit to gain elevated privileges with full confidentiality, integrity, and availability impact. The flaw requires no prior authentication or user interaction (PR:N/UI:N) but carries high attack complexity (AC:H), meaning reliable exploitation depends on winning a race or satisfying a specific memory-state timing window. Microsoft self-reported the issue and has shipped a patch; no public exploit identified at time of analysis and it is not currently listed in CISA KEV.
Elevation of privilege in the Windows Runtime (WinRT) component affects Windows 10 (21H2/22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2025, where a use-after-free memory-corruption flaw lets an already-authenticated local user run code at higher privilege. Microsoft has released a patch and reported the issue; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV. Given the CVSS 7.8 (Important) rating and full C/I/A impact, this is a standard local privilege-escalation risk suited for regular patch prioritization rather than emergency response.
Local privilege escalation in the Windows Graphics Kernel component allows an authenticated attacker to elevate to SYSTEM by triggering a use-after-free (CWE-416) memory-corruption condition. All currently supported Windows client and server builds are affected - from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025. No public exploit identified at time of analysis; Microsoft has released a patch, and the CVSS 7.8 (Important) rating reflects high impact but a local-access, low-privilege prerequisite.
Local privilege escalation in the Microsoft Windows Kernel lets an authenticated attacker who already has low-privileged code execution on a host elevate to SYSTEM by exploiting a use-after-free (CWE-416) memory corruption. It affects a broad range of supported Windows client and server builds - Windows 10 (1809/21H2/22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2019/2022/2025 - and Microsoft has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation appears unproven publicly despite the reliably-exploitable nature of kernel UAF flaws.
Local privilege escalation in the Microsoft Windows Kernel arises from a use-after-free (CWE-416) memory-corruption flaw that lets an attacker running code on the machine gain higher privileges, potentially SYSTEM. It affects a broad range of current Windows client and server builds (Windows 10 21H2/22H2, Windows 11 24H2/25H2/26H1, Windows Server 2022/2025). No public exploit identified at time of analysis, but the local attack surface and full CIA impact make it a standard Patch-Tuesday-class kernel EoP worth prompt patching.
Local privilege escalation in the Windows Backup Engine affects Windows 10 (21H2, 22H2) and Windows 11 (24H2, 25H2, 26H1), where a use-after-free (CWE-416) memory-corruption flaw lets an already-authorized local user with low privileges elevate to higher rights. No public exploit identified at time of analysis, and it is not listed in CISA KEV; Microsoft rates it 7.0 (High), reflecting meaningful impact tempered by high attack complexity. Successful exploitation grants full confidentiality, integrity, and availability impact on the affected host.
Local privilege escalation in Microsoft Windows (Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through 2025) arises from a use-after-free memory-corruption flaw (CWE-416) that lets an already-authenticated local user run code at elevated privilege. The CVSS 3.1 base score is 7.8 with a scope-changed vector, and Microsoft has shipped a fix via MSRC. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, so exploitation is currently theoretical rather than observed.
Local privilege escalation in the Windows Brokering File System affects Windows 11 24H2/25H2/26H1 and Windows Server 2025, where a use-after-free (CWE-416) lets an already-authenticated local user corrupt memory to elevate to higher privileges (typically SYSTEM). Microsoft has released a patch and rates it 7.8 (High). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in Microsoft's Remote Desktop Client (the RDP client, mstsc.exe, shipped across Windows 10, Windows 11, and Windows Server 2012 through 2025) allows an unauthorized attacker to run arbitrary code over the network by triggering a use-after-free memory-corruption condition. Exploitation requires the victim to connect to an attacker-controlled or compromised RDP endpoint (UI:R), after which the malicious server can corrupt client-side memory to achieve full code execution. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV; a vendor patch is available from Microsoft.
Use after free in Windows Virtual Filtering Platform (VFP) allows an authorized attacker to deny service over a network.
Local privilege escalation in the Windows Runtime (WinRT) component of Windows 10, Windows 11, and Windows Server allows an authenticated attacker to run arbitrary code with elevated (SYSTEM-level) privileges by triggering a use-after-free memory-corruption condition (CWE-416). Microsoft has released a patch, but there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. The CVSS 3.1 score of 7.8 (High) with a fully local vector reflects meaningful post-compromise impact but requires the attacker to already have a foothold on the host.
Remote code execution in the Microsoft Message Queuing (MSMQ) Queue Manager affects a broad range of Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. An unauthenticated network attacker who can reach the MSMQ service (TCP 1801) can trigger a use-after-free (CWE-416) in the Queue Manager to execute arbitrary code in the service context. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the high CVSS (8.1), network attack vector, and lack of any authentication requirement make patched deployment urgent; exploitation is tempered by the High attack complexity (AC:H).
Local privilege escalation in the Windows Brokering File System component affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a use-after-free memory corruption (CWE-416) lets an already-authenticated local user elevate to higher privileges. Microsoft rates it CVSS 7.8 with full confidentiality, integrity, and availability impact, and has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges with a physical attack.
Local privilege escalation in the Windows Connected User Experiences and Telemetry service (DiagTrack) lets an already-authenticated user run arbitrary code with SYSTEM-level rights by triggering a CWE-843 type-confusion condition. The flaw affects a broad range of currently-supported Windows client and server builds, from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Microsoft Windows Content Delivery Manager component lets an authenticated low-privileged user elevate to SYSTEM by triggering a use-after-free (CWE-416) memory-corruption condition. The flaw affects a broad range of client and server builds (Windows 10 1809 through Windows 11 26H1, plus Server 2019 and Server 2025), and Microsoft has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.