Microsoft
Monthly
Remote code execution in the Windows Kernel allows unauthenticated network attackers to execute arbitrary code by triggering a use-after-free condition (CWE-122 heap-related memory corruption). The flaw was reported by Microsoft (secure@microsoft.com) and carries a critical CVSS 9.8 with no public exploit identified at time of analysis. Tag metadata indicates the bug can also be leveraged for heap overflow and denial-of-service outcomes.
Security feature bypass in Windows UEFI allows an authenticated local attacker with low privileges to circumvent a protection mechanism, resulting in high confidentiality, integrity, and availability impact on the host. The flaw is rooted in CWE-693 (Protection Mechanism Failure) within the Windows UEFI firmware layer, and Microsoft (secure@microsoft.com) is the reporting CNA. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
BitLocker drive encryption on Windows can be bypassed by a physically present, unauthenticated attacker, exposing protected volume contents with high confidentiality impact. Classified as CWE-693 (Protection Mechanism Failure), the flaw undermines BitLocker's core threat model - data-at-rest protection - across a wide range of Windows 10, Windows 11, and Windows Server releases from 2012 through 2025. No public exploit has been identified at time of analysis, and Microsoft has released patches for all affected versions; however, the physical access requirement means organizations with mobile or physically accessible systems should treat this as a higher operational priority than the CVSS score alone implies.
Secure Boot bypass on Microsoft Windows allows an authorized local attacker with high privileges to defeat a platform integrity protection mechanism, leading to compromise of confidentiality and integrity outside the original security boundary. The scope-changed CVSS 7.9 rating reflects that successful exploitation breaks out of the Secure Boot trust domain, though no public exploit is identified at time of analysis and the issue is not listed in CISA KEV. Microsoft (secure@microsoft.com) issued the advisory via MSRC, and the weakness is classified as improper access control (CWE-284).
Local privilege escalation in Microsoft Windows Kernel allows an authenticated low-privilege attacker to elevate to SYSTEM by triggering a use-after-free condition in kernel memory. The flaw carries a CVSS 7.0 rating with high attack complexity, and no public exploit identified at time of analysis. Exploitation requires a race condition or specific timing to be won, which constrains reliable weaponization but does not eliminate the risk on multi-user or shared Windows hosts.
UI misrepresentation of critical information in Microsoft Bing Search for Android (versions below 33.3) enables unauthenticated network-based attackers to spoof content displayed to end users. The vulnerability (CWE-451) causes the application to render or present critical information-such as URLs, security indicators, or source attribution-in a misleading way, enabling deception attacks. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the zero-privilege-required, low-complexity network vector makes it accessible to opportunistic attackers targeting users of the unpatched Android application.
Local spoofing in Microsoft Office for Android lets an unauthorized attacker manipulate trust-affecting content or identity indicators after a user interacts with malicious input on the device. The CVSS 7.1 score reflects high confidentiality and integrity impact with no special privileges required, though the local attack vector and required user interaction limit remote exploitability. No public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Local privilege escalation in Microsoft Defender for Endpoint for Mac (versions 101.0.0 through 101.26042.0010) allows an authenticated local attacker to win a time-of-check/time-of-use race and gain elevated privileges on the host. No public exploit identified at time of analysis, and EPSS is very low (0.05%), but SSVC rates technical impact as 'total' because successful exploitation yields full compromise of the endpoint security agent.
Local code execution in Microsoft Office is possible through a heap-based buffer overflow (CWE-822) that triggers when a user opens a maliciously crafted document. The CVSS 7.8 vector (AV:L/AC:L/PR:N/UI:R) reflects a classic client-side file-format attack requiring user interaction but no prior authentication, yielding full confidentiality, integrity, and availability impact on the targeted workstation. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but Office document parsers are historically high-value targets and the vulnerability was reported by Microsoft's own MSRC team.
Privilege elevation via stored or reflected cross-site scripting in Microsoft Live Share Canvas SDK enables an authenticated attacker on the network to execute script in another user's browser context and gain elevated permissions within collaborative Live Share sessions. The CVSS 8.0 vector reflects high impact across confidentiality, integrity, and availability, though successful exploitation requires both low-level authentication and user interaction. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Local code execution in Microsoft Office Word arises from an untrusted pointer dereference (CWE-822) that can be triggered when a victim opens a crafted document. Successful exploitation grants the attacker the privileges of the current user with high impact to confidentiality, integrity, and availability, though no public exploit identified at time of analysis. The CVSS 3.1 base score of 7.8 reflects the requirement for user interaction but no prior authentication.
Spoofing via improper input validation affects Microsoft Azure Attestation service and the Device Health Attestation Service component across a broad range of Windows OS versions, from Windows Server 2012 through Windows Server 2025 and Windows 10/11. An authorized attacker with high privileges and physical access to the target device can manipulate attestation inputs to spoof device health or platform integrity status, achieving a high-integrity impact with no confidentiality or availability consequence. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; the CVSS score of 3.9 (Low) reflects the significant physical and privilege barriers to exploitation.
Local code execution in Microsoft Windows Hyper-V allows an authenticated attacker on a guest or host to escape sandbox boundaries by triggering an out-of-bounds read condition (CWE-843, type confusion) in the hypervisor. The flaw affects Windows 10 (21H2/22H2), Windows 11 (23H2/24H2/25H2/26H1), and Windows Server 2022/2025, with a vendor-released patch available and no public exploit identified at time of analysis. EPSS scoring of 0.15% and SSVC exploitation status of 'none' suggest limited near-term exploitation likelihood despite total technical impact potential.
Local privilege escalation in the Windows Bluetooth Port Driver allows an authorized low-privileged attacker to elevate to higher privileges by triggering a use-after-free condition in the kernel-mode driver. The flaw is reported by Microsoft Security Response Center and carries a CVSS 7.0 (high) rating with high attack complexity, and no public exploit identified at time of analysis. EPSS data and CISA KEV status were not provided in the input, so widespread exploitation is not confirmed.
Information disclosure in Microsoft Windows Remote Desktop Protocol (RDP) allows remote unauthenticated attackers to read out-of-bounds memory over the network, potentially exposing sensitive data from the RDP service process. The flaw is reachable without authentication or user interaction across any exposed RDP endpoint, and no public exploit identified at time of analysis. Microsoft has assigned the issue a CVSS 3.1 score of 7.5 reflecting high confidentiality impact with no integrity or availability effect.
Local privilege escalation in the Windows Ancillary Function Driver (AFD.sys) for WinSock allows an authenticated low-privileged user to gain SYSTEM-level access through a use-after-free condition. The flaw was reported by Microsoft (MSRC) and carries a CVSS 7.8 score with high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the AFD.sys driver has a long history of similar bugs being weaponized post-disclosure.
Local privilege escalation in Microsoft Windows Desktop Window Manager (DWM) Core Library enables an authorized low-privileged user to gain elevated privileges through a use-after-free memory corruption flaw. The vulnerability carries a CVSS 3.1 score of 7.8 with high impact on confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Exploitation requires the attacker to already have local code execution as a standard user, making it a strong candidate for post-compromise chaining toward SYSTEM-level access.
Local code execution in Windows NTFS allows an unauthorized attacker to run arbitrary code on the target system by triggering a heap-based buffer overflow, with no public exploit identified at time of analysis. The CVSS 7.8 rating reflects high impact across confidentiality, integrity, and availability, but exploitation requires local vector and user interaction. Microsoft (secure@microsoft.com) is the assigning CNA, indicating a first-party vendor advisory via MSRC.
Out-of-bounds read in the Windows DHCP Server service enables a locally authenticated, low-privileged attacker to disclose contents of process memory on affected systems. The CVSS vector (AV:L/AC:L/PR:L/UI:N) confirms this is a local, low-complexity attack requiring only standard user privileges - no elevated rights or user interaction needed. Exploitation is constrained to hosts where the Windows DHCP Server role is actively installed and running, which significantly limits the attack surface to designated infrastructure servers rather than general workstations. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Out-of-bounds read in Windows DHCP Server exposes adjacent memory contents and can crash the service, yielding both information disclosure and a high-severity denial-of-service condition on affected Windows systems. The flaw (CWE-125) is exploitable locally with low attack complexity and no user interaction, targeting systems where the DHCP Server role is installed across a broad range of Windows 10, 11, and Server editions from 2012 through 2025. No public exploit has been identified at time of analysis, and Microsoft has released patched builds via the MSRC update guide (CVE-2026-45608).
Local code execution in Microsoft Windows Hyper-V allows an authenticated low-privilege attacker to run arbitrary code on the host via an out-of-bounds read (CWE-125) in the hypervisor. The flaw affects a broad swath of Windows 10, Windows 11, and Windows Server builds running Hyper-V, and Microsoft has released patches. No public exploit identified at time of analysis and EPSS is very low (0.06%), but SSVC technical impact is rated total.
Out-of-bounds read in Microsoft's UxTheme Library (uxtheme.dll) enables a locally authenticated attacker to crash the affected Windows system, resulting in denial of service. The vulnerability spans a broad swath of Windows releases - from Server 2012 through Windows 11 26H1 and Windows Server 2025 - making patch surface management critical for enterprise environments. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Local privilege escalation in the Windows Bluetooth Service stems from a use-after-free condition (CWE-416) that an authenticated low-privilege user can trigger to gain elevated rights on the host. The CVSS 7.8 vector (AV:L/AC:L/PR:L/UI:N) reflects a fully local attack with high impact across confidentiality, integrity, and availability, and no public exploit has been identified at time of analysis. The flaw was reported by Microsoft (secure@microsoft.com) and tracked in the MSRC update guide.
Out-of-bounds read in the Windows Application Identity (AppID) Subsystem exposes sensitive kernel or process memory to a local authenticated attacker without requiring elevated privileges or user interaction. Affected builds span Windows 11 versions 23H2 through 26H1 and Windows Server 2025, including Server Core installations. No public exploit code has been identified at time of analysis and this CVE does not appear in the CISA KEV catalog, though the high confidentiality impact (CVSS C:H) indicates meaningful data exposure potential when triggered.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (afd.sys) allows an authenticated low-privileged user to elevate to SYSTEM by winning a race condition that triggers a use-after-free. The flaw is reported by Microsoft (MSRC) and carries CVSS 7.0 with high attack complexity, but no public exploit is identified at time of analysis and it is not listed in CISA KEV.
Remote tampering in Microsoft Windows DHCP Server allows unauthenticated network attackers to manipulate critical data with high confidentiality and integrity impact, as reflected by the 9.1 CVSS score. The vulnerability is reachable over the network without privileges or user interaction, and no public exploit identified at time of analysis. The combination of authentication bypass tagging and DHCP's role as a core network infrastructure service makes this a high-priority issue for any Windows environment running the DHCP Server role.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) allows an authenticated low-privileged attacker to win a race condition and gain SYSTEM-level execution. The flaw is a use-after-free triggered through concurrent WinSock operations, and at time of analysis no public exploit has been identified and the CVE is not on the CISA KEV list.
Local privilege escalation in Microsoft Windows Kernel-Mode Drivers allows an authenticated low-privileged user to elevate to SYSTEM via a type confusion (CWE-843) flaw. The vulnerability carries a CVSS 7.8 (High) with low attack complexity and no user interaction once local access is obtained, though no public exploit identified at time of analysis. Reported by Microsoft's MSRC, this fits the recurring pattern of Windows kernel driver EoP bugs frequently abused in post-compromise stages.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (afd.sys) allows an authenticated low-privileged user to win a race condition and trigger a use-after-free, enabling code execution at kernel level. No public exploit identified at time of analysis, but AFD.sys has a long history of being a preferred LPE target and Microsoft has marked the issue as important. EPSS data was not provided in the source feed.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (afd.sys) allows an authenticated local user to gain SYSTEM-level rights by winning a race condition that leads to a use-after-free in kernel memory. The flaw affects Windows installations where afd.sys is loaded (effectively all desktop and server SKUs) and was reported by Microsoft Security Response Center; no public exploit identified at time of analysis and the vulnerability is not listed on the CISA KEV catalog.
Mark of the Web (MOTW) protection mechanism failure across a broad range of Windows client and server releases allows unauthenticated network-based attackers to deliver files that evade the Zone.Identifier security tag, bypassing downstream defenses such as SmartScreen and Office Protected View that depend on MOTW presence. User interaction is required to trigger the bypass, limiting automated mass exploitation. No public exploit code exists and CISA has not listed this in KEV; however, the breadth of affected Windows versions - spanning Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 R2 through 2025 - gives this vulnerability significant surface area as a link in social-engineering attack chains.
Information disclosure in the Windows Application Identity (AppID) Subsystem exposes sensitive data to locally authenticated, low-privileged attackers across a broad range of Windows 10, Windows 11, and Windows Server versions. The CVSS vector (AV:L/AC:L/PR:L/UI:N) confirms that exploitation requires only a local session with standard user privileges - no elevated rights or user interaction needed. No public exploit code or CISA KEV listing has been identified at time of analysis, but the wide affected surface spanning consumer and server SKUs makes patching a meaningful priority in multi-user or shared-system environments.
Local privilege escalation in Microsoft Windows SDK enables an authenticated low-privileged attacker to elevate to higher privileges by exploiting a use-after-free memory corruption flaw. The CVSS 7.8 (AV:L/AC:L/PR:L) profile reflects local attack with low complexity and low privileges required, yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Local privilege escalation in Microsoft Windows Internet (wininet.dll) allows an authenticated low-privileged attacker to elevate to higher privileges by triggering an integer overflow condition. With a CVSS score of 7.8 and full impact on confidentiality, integrity, and availability, this flaw represents a meaningful post-compromise risk on affected Windows systems, though no public exploit identified at time of analysis. The vulnerability has been reported by Microsoft's own security team (secure@microsoft.com), indicating internal discovery and coordinated disclosure.
Security feature bypass in Windows Secure Boot enables a high-privileged local attacker to circumvent boot-time integrity protections, undermining the chain of trust that prevents unauthorized firmware and bootloader code from executing. The flaw (CWE-693, Protection Mechanism Failure) carries a CVSS 7.9 rating driven by scope change and high confidentiality/integrity impact, and no public exploit identified at time of analysis. Because Secure Boot is the foundation for downstream protections like BitLocker, Virtualization-Based Security, and Measured Boot, bypass enables persistent pre-OS implants that survive reimaging.
Local privilege escalation in Windows Collaborative Translation Framework permits an authorized low-privileged user to gain elevated rights on affected Windows systems by abusing improper symbolic link resolution before file access. The flaw yields high confidentiality, integrity, and availability impact (CVSS 7.8) but requires existing local access. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution in Microsoft Exchange Server allows an unauthenticated network-based attacker to execute arbitrary code on the mail server through code injection, though successful exploitation requires user interaction and faces high attack complexity. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. The vulnerability is rated CVSS 7.5 with full confidentiality, integrity, and availability impact on a compromised Exchange host.
Privilege escalation via server-side request forgery in Microsoft Exchange Server allows an authenticated attacker with low-level network access to coerce the Exchange server into making attacker-controlled requests, resulting in high impact to confidentiality, integrity, and availability. The flaw is network-exploitable with low complexity (CVSS 8.8) but requires prior authentication, and no public exploit identified at time of analysis. As a Microsoft-discovered issue (reported by secure@microsoft.com), it is consistent with the broader pattern of Exchange SSRF chains used to pivot to elevated mailbox or domain access.
Server-side request forgery in Microsoft Exchange Server allows an authenticated attacker with low privileges to coerce the Exchange server into making arbitrary outbound requests, resulting in disclosure of sensitive information and potential integrity impact across internal network resources. The CVSS 8.1 score reflects the high confidentiality and integrity impact from a network-reachable, low-complexity attack, though no public exploit identified at time of analysis. The vulnerability is tagged as an Authentication Bypass / SSRF, suggesting the SSRF primitive may be leveraged to bypass network-based authentication boundaries (e.g., reaching internal trusted endpoints).
Server-side request forgery in Microsoft Exchange Server enables an authenticated low-privilege attacker to coerce the server into issuing outbound network requests to internal or external resources, resulting in information disclosure. Affected deployments span Exchange Server 2016 CU23, Exchange Server 2019 CU14 and CU15, and the current Subscription Edition - all at versions below their respective patched builds. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis, but the Changed scope in the CVSS vector indicates the server can reach resources beyond its own trust boundary, amplifying reconnaissance value for an already-authenticated adversary.
Cross-site scripting and server-side request forgery in Microsoft Exchange Server enables authenticated low-privilege network attackers to perform spoofing and exfiltrate sensitive information. Affected are Exchange Server 2016 CU23, 2019 CU14, 2019 CU15, and the Subscription Edition RTM release lines, all below their respective patched cumulative update builds. No public exploit identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though Microsoft has released patches across all affected branches.
Cross-site scripting in Microsoft Exchange Server's web interface enables unauthenticated remote attackers to perform spoofing attacks against users of Exchange Server 2016, 2019, and Subscription Edition. The CVSS vector (PR:N/UI:R/S:C) indicates no attacker authentication is required, but a victim must interact with a crafted link, and the Changed Scope means injected scripts can cross browser security boundaries within the Exchange session. No public exploit has been identified at time of analysis, and vendor-released patches are available addressing all affected cumulative update branches.
Local code execution in Microsoft Office Word is possible when a user opens a maliciously crafted document that triggers an untrusted pointer dereference (CWE-416 use-after-free). The flaw lets an unauthorized attacker execute arbitrary code in the context of the current user, and no public exploit identified at time of analysis. Risk hinges on user interaction (UI:R), making phishing-style document delivery the realistic attack pathway.
Out-of-bounds read in Microsoft Office and SharePoint Server exposes low-level memory contents to a local attacker when a victim opens a crafted document. Affected products span Microsoft 365 Apps for Enterprise, Office 2016/2019/LTSC 2021/2024, Office for Mac variants, and SharePoint Server 2016/2019/Subscription Edition - all at version 16.0.x baselines. The CVSS score of 3.3 (Low) reflects constrained impact: confidentiality is only partially affected, integrity and availability are untouched, and exploitation requires both local access and user interaction. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Privilege escalation in Microsoft Office SharePoint allows an authenticated network attacker to elevate privileges by submitting maliciously crafted serialized data that the server deserializes without proper validation. The CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability combined with low attack complexity, though the PR:L requirement means the attacker must already hold at least a low-privileged SharePoint account. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Stored or reflected cross-site scripting in Microsoft SharePoint Server (the platform underlying Office Project Server) enables an authenticated low-privileged attacker to inject malicious script into web-rendered content, facilitating spoofing attacks against other users. The CVSS vector (PR:L/UI:R) confirms exploitation requires an authenticated account and victim interaction, constraining opportunistic use. No public exploit code has been identified at time of analysis, a vendor patch has been released, and no CISA KEV listing is present.
Stored or reflected cross-site scripting in Microsoft Office SharePoint allows an authenticated low-privileged attacker to inject script that executes in another user's browser session, enabling spoofing and high-impact disclosure or modification of data rendered in the victim's context. The CVSS 7.3 vector requires user interaction and existing access to the SharePoint site, and no public exploit identified at time of analysis. The flaw is consistent with the CWE-79 class of input neutralization failures during web page generation.
Cross-site scripting in Microsoft SharePoint allows an authenticated network attacker to perform spoofing attacks by injecting malicious script into web page content. Affected products include SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition across all builds below their respective patched versions. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; the CVSS score of 4.6 reflects the mandatory user interaction and constrained confidentiality/integrity impact.
Local code execution in Microsoft Office is possible through a heap-based buffer overflow (CWE-122) that an unauthenticated attacker can trigger when a user opens a crafted document. The CVSS 3.1 base score of 7.8 reflects high impact to confidentiality, integrity, and availability, with required user interaction limiting mass exploitation. There is no public exploit identified at time of analysis and the issue is not currently listed on the CISA KEV catalog.
Local code execution in Microsoft Office is possible through a heap-based buffer overflow that an unauthorized attacker can trigger without user interaction. The flaw carries a CVSS 3.1 score of 8.4 with high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Despite requiring local access, the absence of authentication and user-interaction requirements makes this a notable priority for endpoint patching cycles.
Local code execution in Microsoft Office via a heap-based buffer overflow allows an unauthorized attacker to run arbitrary code with the privileges of the user opening a malicious document. The CVSS vector (AV:L/PR:N/UI:N) indicates local attack vector without required authentication or user interaction, an unusual combination that warrants verification against the vendor advisory. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Local code execution in Microsoft Office Word enables an attacker to run arbitrary code in the context of the current user by tricking them into opening a malicious document that triggers an untrusted pointer dereference. With a CVSS 7.8 score and no public exploit identified at time of analysis, the flaw is exploited locally but unauthenticated, relying on user interaction to open a crafted file. Microsoft has issued an advisory via the MSRC Security Update Guide.
Local code execution in Microsoft Office Excel results from an integer underflow (CWE-122 heap-based) that allows an unauthorized attacker to run arbitrary code in the context of the user opening a crafted spreadsheet. The CVSS 7.8 score reflects local attack vector with required user interaction, and no public exploit identified at time of analysis. Microsoft (secure@microsoft.com) is the originating CNA, and the issue is tagged as a buffer/heap overflow class flaw.
Cross-site scripting in Microsoft SharePoint Server allows an authenticated low-privileged attacker to inject malicious scripts into SharePoint-generated web pages, enabling spoofing attacks against other authenticated users over the network. Three product lines are confirmed affected: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, each with specific patched build thresholds. No public exploit code has been identified at time of analysis, and Microsoft has released patches for all three product lines.
Stored or reflected cross-site scripting in Microsoft SharePoint on-premises deployments enables an authenticated attacker to perform spoofing attacks against other users over a network. Affected products span three major on-premises release lines: SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. The CVSS vector (PR:L, UI:R) confirms exploitation requires a low-privileged authenticated account and victim user interaction, meaningfully constraining opportunistic attack. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis.
Heap-based buffer overflow in Microsoft Office Word exposes limited local memory contents when a user opens a specially crafted document. Affecting multiple Office product lines including Microsoft 365 Apps for Enterprise, Office LTSC 2021, LTSC 2024, and their Mac counterparts, the vulnerability carries a CVSS score of 3.3 (Low) and is constrained to confidentiality impact only, with no integrity or availability consequences. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Cross-site scripting in Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition enables network-based spoofing attacks by injecting malicious scripts into rendered web page output. The vulnerability carries a CVSS 5.4 (Medium) score with low attack complexity and no privilege requirement per the CVSS vector, but requires victim user interaction - a pattern consistent with reflected or stored XSS leading to in-browser script execution within a trusted SharePoint domain. No public exploit code or CISA KEV listing has been identified at time of analysis, though the broad enterprise deployment footprint of SharePoint elevates real-world relevance beyond the moderate CVSS score.
Cross-site scripting in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) enables a network-based attacker to perform spoofing by injecting malicious script into web page generation, affecting the confidentiality and integrity of victim sessions. The attack requires user interaction - a victim must click or load attacker-controlled content - which limits opportunistic exploitation but makes it viable via phishing or social engineering. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis; however, vendor-released patches are confirmed across all three affected release lines.
Local code execution in Microsoft Office is possible via a heap-based buffer overflow that an unauthorized attacker can trigger without user interaction, yielding full confidentiality, integrity, and availability impact on the host. The flaw is rated 8.4 (CVSS:3.1) and was disclosed by Microsoft's Security Response Center, but no public exploit has been identified at the time of analysis. Despite the CWE-121 tagging as a stack overflow, the description and CWE-122 class indicate the corruption occurs on the heap, so defenders should treat this as a memory-corruption RCE-class issue requiring prompt patching.
Stored or reflected cross-site scripting in Microsoft SharePoint Server enables an authenticated network attacker to perform spoofing attacks against other users by injecting malicious script into web page output. Affected products span three SharePoint Server product lines - 2016 Enterprise, 2019, and Subscription Edition - all on build version 16.0.x below their respective patched thresholds. Microsoft has released patches across all affected branches; no public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Local code execution in Microsoft Office via a heap-based buffer overflow that lets an unauthorized attacker run arbitrary code in the context of the current user. The flaw carries a CVSS 8.4 rating driven by high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Despite the 'unauthorized' wording, the CVSS vector specifies a local attack vector, indicating the attacker must already be able to deliver a crafted file or run code on the target system.
Out-of-bounds read (buffer over-read) in Microsoft Office exposes sensitive memory contents to a local attacker who can induce a user to open a specially crafted file. Affecting a broad surface including Microsoft 365 Apps for Enterprise, Office LTSC 2021/2024, Office 2019, and mobile/Mac variants, the vulnerability carries a CVSS 4.7 (Medium) with high confidentiality impact but no integrity or availability consequence. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the wide deployment footprint of Microsoft Office makes even targeted information disclosure attacks operationally significant.
Excel across multiple Microsoft Office product lines fails to properly enforce an internal protection mechanism, enabling a local attacker to bypass a security feature and access limited confidential data within the process context. Affected builds span Microsoft 365 Apps for Enterprise, Office LTSC 2024, and Mac variants of Office. With a CVSS score of 3.3, this is a low-severity finding - no public exploit has been identified at time of analysis, and exploitation requires both local system access and deliberate user interaction.
Local code execution in Microsoft Office via a type confusion flaw (CWE-416) permits unauthorized attackers to run arbitrary code in the context of the Office process without requiring privileges or user interaction. The issue carries a high CVSS 3.1 score of 8.4 with full impact across confidentiality, integrity, and availability, though exploitation requires local attack vector access to the target system. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Local code execution in Microsoft Office Word is possible through an untrusted pointer dereference (CWE-125 out-of-bounds read) that an attacker can trigger by convincing a user to open a malicious document. The CVSS 7.8 vector (AV:L/AC:L/PR:N/UI:R) reflects high impact to confidentiality, integrity, and availability once the booby-trapped file is opened, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local code execution in Microsoft Office stems from a type confusion (CWE-843) flaw that allows an unauthenticated attacker with local access to run arbitrary code in the context of the Office process. The CVSS 8.4 score reflects high impact on confidentiality, integrity, and availability without requiring privileges or user interaction, though the attack vector is local. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.
Out-of-bounds read in Microsoft Excel exposes limited memory contents to a local attacker when a user opens a specially crafted workbook. Affected product lines span Excel 2016, Office 2019, Office LTSC 2021/2024, Microsoft 365 Apps for Enterprise, Office Online Server, and multiple Mac variants. With a CVSS score of 3.3 (Low), no public exploit identified at time of analysis, and no CISA KEV listing, this is a low-urgency information disclosure issue - though a notable conflict exists between the description's claim of network-based disclosure and the CVSS AV:L (local) vector that warrants verification against the vendor advisory.
Path traversal in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) enables an authenticated low-privileged attacker to execute code over a network by escaping the intended directory scope. Affected builds span all three actively maintained SharePoint Server product lines, with vendor-confirmed patches available for each. No public exploit code has been identified at time of analysis, and this CVE is not currently listed in the CISA KEV catalog; however, the low attack complexity (AC:L) and no user interaction requirement (UI:N) make it a credible target for exploitation once an attacker has any valid SharePoint credential.
Cross-site scripting in Microsoft SharePoint Server on-premises deployments (2016, 2019, and Subscription Edition) enables network-based spoofing attacks by injecting malicious script into pages rendered within victims' browser sessions. All three actively supported SharePoint on-premises product lines are affected across broad version ranges, with fixed releases confirmed in the June 2026 patch cycle. No public exploit code has been identified at time of analysis and the vulnerability is absent from the CISA KEV catalog, but low attack complexity and wide enterprise deployment footprint make prompt patching a reasonable priority.
Local code execution in Microsoft Office is possible through a heap-based buffer overflow (CWE-122) that triggers when a user opens or previews a maliciously crafted document. The CVSS 7.8 score reflects local attack vector with required user interaction, and no public exploit identified at time of analysis. Successful exploitation yields full confidentiality, integrity, and availability impact in the context of the current user.
Local code execution in Microsoft Office Excel stems from an integer underflow that, when triggered by opening a crafted spreadsheet, allows an attacker to run arbitrary code in the context of the current user. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R) confirms exploitation requires the victim to open a malicious file, and there is no public exploit identified at time of analysis. With a base score of 7.8 and full confidentiality, integrity, and availability impact, successful exploitation effectively gives the attacker the victim's privileges on the host.
Information disclosure in Microsoft Office Excel allows remote unauthenticated attackers to read out-of-bounds memory over a network, potentially exposing sensitive data from process memory. The CVSS 8.2 score reflects high confidentiality impact with no authentication or user interaction required per the CVSS vector. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Out-of-bounds read in Microsoft Office triggers local information disclosure when a victim opens a crafted document, exposing adjacent memory contents with high confidentiality impact. The vulnerability spans a wide product surface including Office 2016 through LTSC 2024, Microsoft 365 Apps for Enterprise, multiple SharePoint Server versions, and Mac variants, as confirmed by EUVD-2026-35664. No public exploit or CISA KEV listing is identified at time of analysis; vendor-released patches are available across affected product lines.
Local code execution in Microsoft Office Excel stems from an integer underflow condition that can be triggered when a victim opens a malicious spreadsheet, leading to out-of-bounds memory access (CWE-125). The flaw requires user interaction but no prior authentication on the target, and no public exploit identified at time of analysis. With a CVSS of 7.8 (high) and the typical phishing-friendly delivery model of Office files, this fits the profile of a document-based client-side RCE primitive.
Local code execution in Microsoft Office is possible when a user opens a maliciously crafted document that triggers a heap-based buffer overflow (CWE-122), allowing the attacker to run arbitrary code in the context of the opened Office process. The CVSS 7.8 (AV:L/AC:L/PR:N/UI:R) reflects a user-interaction-driven local exploit rather than a remote network attack, and no public exploit identified at time of analysis. The flaw was reported through Microsoft Security Response Center (secure@microsoft.com) and is tracked in MSRC's update guide.
Local code execution in Microsoft Office Excel can be achieved by an unauthenticated attacker who tricks a user into opening a malicious spreadsheet that triggers an integer underflow condition. The flaw carries a CVSS 7.0 rating reflecting high attack complexity and required user interaction, and no public exploit identified at time of analysis. There is a notable mismatch between the description (integer underflow) and the assigned CWE-362 (race condition), which warrants verification with Microsoft's advisory.
Local code execution in Microsoft Office Excel arises from an integer underflow condition that corrupts memory when a malicious spreadsheet is opened. The flaw requires user interaction (UI:R) to trigger but needs no prior authentication, enabling attackers to run arbitrary code in the security context of the victim user. At the time of analysis, no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution in the Windows DHCP Client is possible when a stack-based buffer overflow (CWE-121) is triggered by a crafted DHCP server response, allowing an unauthorized network attacker to run arbitrary code with no user interaction. The flaw carries a CVSS 9.8 critical rating reflecting network reachability, low complexity, and full impact on confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Because the DHCP client runs early in the network stack on virtually every Windows host, successful exploitation grants attacker-controlled code execution in a highly privileged context.
Out-of-bounds heap read in the Windows Desktop Window Manager (DWM) Core Library on Windows 11 26H1 enables authenticated local attackers to disclose high-confidence confidentiality data without user interaction. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms low-complexity local exploitation limited to a single authenticated session, with no integrity or availability impact. No public exploit code has been identified at time of analysis, and the vulnerability does not appear in the CISA KEV catalog.
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library enables an authenticated low-privilege attacker to gain elevated rights through a use-after-free memory corruption flaw. The issue carries a CVSS 7.8 (High) rating with total confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. CISA SSVC scoring marks exploitation as 'none' and not automatable, suggesting limited real-world activity despite the severe technical impact.
Local code execution in Microsoft Windows Win32K GRFX (graphics) subsystem allows an attacker with low-privilege local access to run arbitrary code by triggering an integer overflow, after coaxing a user into interacting with a crafted graphics object. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, though Win32K bugs historically attract rapid exploit development for privilege escalation in post-compromise chains.
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library allows an authenticated low-privileged user to elevate to higher privileges on the host by triggering a use-after-free condition. The flaw was reported by Microsoft (MSRC) and carries a CVSS 7.8 with no public exploit identified at time of analysis. EPSS data was not provided and the issue is not currently listed in CISA KEV.
Local privilege escalation in Windows Cryptographic Services on Windows 11 (23H2 through 26H1) and Windows Server 2022/2025 allows a low-privileged authenticated user to elevate to higher privileges through an improper authentication flaw (CWE-287). Microsoft has released patches via MSRC, and while no public exploit identified at time of analysis, CISA SSVC rates the technical impact as total, meaning successful exploitation yields full system compromise. EPSS probability is very low (0.06%), reflecting the local attack vector and absence of known exploitation activity.
Local privilege escalation in the Windows Common Log File System (CLFS) Driver allows an authenticated low-privileged attacker to elevate to SYSTEM via a use-after-free memory corruption flaw. The vulnerability carries a CVSS 7.8 rating with high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. CLFS has a long history of being targeted for kernel-level privilege escalation, making this class of bug a recurring concern for Windows defenders.
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library stems from a use-after-free condition (CWE-122) that lets an authenticated low-privileged user gain elevated rights on affected Windows systems. The flaw was reported by Microsoft (secure@microsoft.com) and tracked via MSRC, with no public exploit identified at time of analysis and no CISA KEV listing. CVSS 7.8 reflects high impact on confidentiality, integrity, and availability once the attacker has local foothold.
Local privilege escalation in Microsoft Windows Desktop Window Manager (DWM) Core Library allows an authenticated low-privileged user to elevate to SYSTEM via a use-after-free memory corruption flaw. CVSS 7.8 with high impact to confidentiality, integrity, and availability, but currently no public exploit identified at time of analysis and CISA SSVC rates exploitation status as 'none' with automation as 'no'.
Use-after-free in the Windows Network Controller (NC) Host Agent enables a locally authenticated attacker to crash the service, resulting in a denial of service on affected Windows Server deployments. The vulnerability carries a CVSS score of 5.5 (Medium) with local attack vector and low-privilege requirements, limiting its blast radius to service availability - confidentiality and integrity are unaffected. No public exploit code exists and CISA KEV listing is absent at time of analysis, though a vendor patch from Microsoft is available and should be prioritized on Windows Server deployments leveraging Software Defined Networking.
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library allows an authenticated low-privileged user to elevate to higher privileges by exploiting a use-after-free memory corruption flaw (CWE-416). The issue was reported by Microsoft's security team (secure@microsoft.com) and tracked via MSRC, with no public exploit identified at time of analysis. Successful exploitation yields full confidentiality, integrity, and availability impact on the local host.
Local code execution in the Windows Win32K GRFX (graphics) subsystem allows an unauthorized attacker with the ability to run code locally to escalate privileges through an integer overflow. The flaw was reported by Microsoft (MSRC) and carries a CVSS 7.8, but requires user interaction (UI:R) and local access (AV:L), and no public exploit identified at time of analysis.
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library allows an authenticated low-privilege attacker to gain higher privileges through a use-after-free memory corruption flaw. The vulnerability carries a CVSS score of 7.8 with high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Successful exploitation typically yields SYSTEM-level code execution on the affected Windows host.
Remote code execution in the Windows Kernel allows unauthenticated network attackers to execute arbitrary code by triggering a use-after-free condition (CWE-122 heap-related memory corruption). The flaw was reported by Microsoft (secure@microsoft.com) and carries a critical CVSS 9.8 with no public exploit identified at time of analysis. Tag metadata indicates the bug can also be leveraged for heap overflow and denial-of-service outcomes.
Security feature bypass in Windows UEFI allows an authenticated local attacker with low privileges to circumvent a protection mechanism, resulting in high confidentiality, integrity, and availability impact on the host. The flaw is rooted in CWE-693 (Protection Mechanism Failure) within the Windows UEFI firmware layer, and Microsoft (secure@microsoft.com) is the reporting CNA. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
BitLocker drive encryption on Windows can be bypassed by a physically present, unauthenticated attacker, exposing protected volume contents with high confidentiality impact. Classified as CWE-693 (Protection Mechanism Failure), the flaw undermines BitLocker's core threat model - data-at-rest protection - across a wide range of Windows 10, Windows 11, and Windows Server releases from 2012 through 2025. No public exploit has been identified at time of analysis, and Microsoft has released patches for all affected versions; however, the physical access requirement means organizations with mobile or physically accessible systems should treat this as a higher operational priority than the CVSS score alone implies.
Secure Boot bypass on Microsoft Windows allows an authorized local attacker with high privileges to defeat a platform integrity protection mechanism, leading to compromise of confidentiality and integrity outside the original security boundary. The scope-changed CVSS 7.9 rating reflects that successful exploitation breaks out of the Secure Boot trust domain, though no public exploit is identified at time of analysis and the issue is not listed in CISA KEV. Microsoft (secure@microsoft.com) issued the advisory via MSRC, and the weakness is classified as improper access control (CWE-284).
Local privilege escalation in Microsoft Windows Kernel allows an authenticated low-privilege attacker to elevate to SYSTEM by triggering a use-after-free condition in kernel memory. The flaw carries a CVSS 7.0 rating with high attack complexity, and no public exploit identified at time of analysis. Exploitation requires a race condition or specific timing to be won, which constrains reliable weaponization but does not eliminate the risk on multi-user or shared Windows hosts.
UI misrepresentation of critical information in Microsoft Bing Search for Android (versions below 33.3) enables unauthenticated network-based attackers to spoof content displayed to end users. The vulnerability (CWE-451) causes the application to render or present critical information-such as URLs, security indicators, or source attribution-in a misleading way, enabling deception attacks. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the zero-privilege-required, low-complexity network vector makes it accessible to opportunistic attackers targeting users of the unpatched Android application.
Local spoofing in Microsoft Office for Android lets an unauthorized attacker manipulate trust-affecting content or identity indicators after a user interacts with malicious input on the device. The CVSS 7.1 score reflects high confidentiality and integrity impact with no special privileges required, though the local attack vector and required user interaction limit remote exploitability. No public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Local privilege escalation in Microsoft Defender for Endpoint for Mac (versions 101.0.0 through 101.26042.0010) allows an authenticated local attacker to win a time-of-check/time-of-use race and gain elevated privileges on the host. No public exploit identified at time of analysis, and EPSS is very low (0.05%), but SSVC rates technical impact as 'total' because successful exploitation yields full compromise of the endpoint security agent.
Local code execution in Microsoft Office is possible through a heap-based buffer overflow (CWE-822) that triggers when a user opens a maliciously crafted document. The CVSS 7.8 vector (AV:L/AC:L/PR:N/UI:R) reflects a classic client-side file-format attack requiring user interaction but no prior authentication, yielding full confidentiality, integrity, and availability impact on the targeted workstation. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but Office document parsers are historically high-value targets and the vulnerability was reported by Microsoft's own MSRC team.
Privilege elevation via stored or reflected cross-site scripting in Microsoft Live Share Canvas SDK enables an authenticated attacker on the network to execute script in another user's browser context and gain elevated permissions within collaborative Live Share sessions. The CVSS 8.0 vector reflects high impact across confidentiality, integrity, and availability, though successful exploitation requires both low-level authentication and user interaction. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Local code execution in Microsoft Office Word arises from an untrusted pointer dereference (CWE-822) that can be triggered when a victim opens a crafted document. Successful exploitation grants the attacker the privileges of the current user with high impact to confidentiality, integrity, and availability, though no public exploit identified at time of analysis. The CVSS 3.1 base score of 7.8 reflects the requirement for user interaction but no prior authentication.
Spoofing via improper input validation affects Microsoft Azure Attestation service and the Device Health Attestation Service component across a broad range of Windows OS versions, from Windows Server 2012 through Windows Server 2025 and Windows 10/11. An authorized attacker with high privileges and physical access to the target device can manipulate attestation inputs to spoof device health or platform integrity status, achieving a high-integrity impact with no confidentiality or availability consequence. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; the CVSS score of 3.9 (Low) reflects the significant physical and privilege barriers to exploitation.
Local code execution in Microsoft Windows Hyper-V allows an authenticated attacker on a guest or host to escape sandbox boundaries by triggering an out-of-bounds read condition (CWE-843, type confusion) in the hypervisor. The flaw affects Windows 10 (21H2/22H2), Windows 11 (23H2/24H2/25H2/26H1), and Windows Server 2022/2025, with a vendor-released patch available and no public exploit identified at time of analysis. EPSS scoring of 0.15% and SSVC exploitation status of 'none' suggest limited near-term exploitation likelihood despite total technical impact potential.
Local privilege escalation in the Windows Bluetooth Port Driver allows an authorized low-privileged attacker to elevate to higher privileges by triggering a use-after-free condition in the kernel-mode driver. The flaw is reported by Microsoft Security Response Center and carries a CVSS 7.0 (high) rating with high attack complexity, and no public exploit identified at time of analysis. EPSS data and CISA KEV status were not provided in the input, so widespread exploitation is not confirmed.
Information disclosure in Microsoft Windows Remote Desktop Protocol (RDP) allows remote unauthenticated attackers to read out-of-bounds memory over the network, potentially exposing sensitive data from the RDP service process. The flaw is reachable without authentication or user interaction across any exposed RDP endpoint, and no public exploit identified at time of analysis. Microsoft has assigned the issue a CVSS 3.1 score of 7.5 reflecting high confidentiality impact with no integrity or availability effect.
Local privilege escalation in the Windows Ancillary Function Driver (AFD.sys) for WinSock allows an authenticated low-privileged user to gain SYSTEM-level access through a use-after-free condition. The flaw was reported by Microsoft (MSRC) and carries a CVSS 7.8 score with high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the AFD.sys driver has a long history of similar bugs being weaponized post-disclosure.
Local privilege escalation in Microsoft Windows Desktop Window Manager (DWM) Core Library enables an authorized low-privileged user to gain elevated privileges through a use-after-free memory corruption flaw. The vulnerability carries a CVSS 3.1 score of 7.8 with high impact on confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Exploitation requires the attacker to already have local code execution as a standard user, making it a strong candidate for post-compromise chaining toward SYSTEM-level access.
Local code execution in Windows NTFS allows an unauthorized attacker to run arbitrary code on the target system by triggering a heap-based buffer overflow, with no public exploit identified at time of analysis. The CVSS 7.8 rating reflects high impact across confidentiality, integrity, and availability, but exploitation requires local vector and user interaction. Microsoft (secure@microsoft.com) is the assigning CNA, indicating a first-party vendor advisory via MSRC.
Out-of-bounds read in the Windows DHCP Server service enables a locally authenticated, low-privileged attacker to disclose contents of process memory on affected systems. The CVSS vector (AV:L/AC:L/PR:L/UI:N) confirms this is a local, low-complexity attack requiring only standard user privileges - no elevated rights or user interaction needed. Exploitation is constrained to hosts where the Windows DHCP Server role is actively installed and running, which significantly limits the attack surface to designated infrastructure servers rather than general workstations. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Out-of-bounds read in Windows DHCP Server exposes adjacent memory contents and can crash the service, yielding both information disclosure and a high-severity denial-of-service condition on affected Windows systems. The flaw (CWE-125) is exploitable locally with low attack complexity and no user interaction, targeting systems where the DHCP Server role is installed across a broad range of Windows 10, 11, and Server editions from 2012 through 2025. No public exploit has been identified at time of analysis, and Microsoft has released patched builds via the MSRC update guide (CVE-2026-45608).
Local code execution in Microsoft Windows Hyper-V allows an authenticated low-privilege attacker to run arbitrary code on the host via an out-of-bounds read (CWE-125) in the hypervisor. The flaw affects a broad swath of Windows 10, Windows 11, and Windows Server builds running Hyper-V, and Microsoft has released patches. No public exploit identified at time of analysis and EPSS is very low (0.06%), but SSVC technical impact is rated total.
Out-of-bounds read in Microsoft's UxTheme Library (uxtheme.dll) enables a locally authenticated attacker to crash the affected Windows system, resulting in denial of service. The vulnerability spans a broad swath of Windows releases - from Server 2012 through Windows 11 26H1 and Windows Server 2025 - making patch surface management critical for enterprise environments. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Local privilege escalation in the Windows Bluetooth Service stems from a use-after-free condition (CWE-416) that an authenticated low-privilege user can trigger to gain elevated rights on the host. The CVSS 7.8 vector (AV:L/AC:L/PR:L/UI:N) reflects a fully local attack with high impact across confidentiality, integrity, and availability, and no public exploit has been identified at time of analysis. The flaw was reported by Microsoft (secure@microsoft.com) and tracked in the MSRC update guide.
Out-of-bounds read in the Windows Application Identity (AppID) Subsystem exposes sensitive kernel or process memory to a local authenticated attacker without requiring elevated privileges or user interaction. Affected builds span Windows 11 versions 23H2 through 26H1 and Windows Server 2025, including Server Core installations. No public exploit code has been identified at time of analysis and this CVE does not appear in the CISA KEV catalog, though the high confidentiality impact (CVSS C:H) indicates meaningful data exposure potential when triggered.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (afd.sys) allows an authenticated low-privileged user to elevate to SYSTEM by winning a race condition that triggers a use-after-free. The flaw is reported by Microsoft (MSRC) and carries CVSS 7.0 with high attack complexity, but no public exploit is identified at time of analysis and it is not listed in CISA KEV.
Remote tampering in Microsoft Windows DHCP Server allows unauthenticated network attackers to manipulate critical data with high confidentiality and integrity impact, as reflected by the 9.1 CVSS score. The vulnerability is reachable over the network without privileges or user interaction, and no public exploit identified at time of analysis. The combination of authentication bypass tagging and DHCP's role as a core network infrastructure service makes this a high-priority issue for any Windows environment running the DHCP Server role.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) allows an authenticated low-privileged attacker to win a race condition and gain SYSTEM-level execution. The flaw is a use-after-free triggered through concurrent WinSock operations, and at time of analysis no public exploit has been identified and the CVE is not on the CISA KEV list.
Local privilege escalation in Microsoft Windows Kernel-Mode Drivers allows an authenticated low-privileged user to elevate to SYSTEM via a type confusion (CWE-843) flaw. The vulnerability carries a CVSS 7.8 (High) with low attack complexity and no user interaction once local access is obtained, though no public exploit identified at time of analysis. Reported by Microsoft's MSRC, this fits the recurring pattern of Windows kernel driver EoP bugs frequently abused in post-compromise stages.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (afd.sys) allows an authenticated low-privileged user to win a race condition and trigger a use-after-free, enabling code execution at kernel level. No public exploit identified at time of analysis, but AFD.sys has a long history of being a preferred LPE target and Microsoft has marked the issue as important. EPSS data was not provided in the source feed.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (afd.sys) allows an authenticated local user to gain SYSTEM-level rights by winning a race condition that leads to a use-after-free in kernel memory. The flaw affects Windows installations where afd.sys is loaded (effectively all desktop and server SKUs) and was reported by Microsoft Security Response Center; no public exploit identified at time of analysis and the vulnerability is not listed on the CISA KEV catalog.
Mark of the Web (MOTW) protection mechanism failure across a broad range of Windows client and server releases allows unauthenticated network-based attackers to deliver files that evade the Zone.Identifier security tag, bypassing downstream defenses such as SmartScreen and Office Protected View that depend on MOTW presence. User interaction is required to trigger the bypass, limiting automated mass exploitation. No public exploit code exists and CISA has not listed this in KEV; however, the breadth of affected Windows versions - spanning Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 R2 through 2025 - gives this vulnerability significant surface area as a link in social-engineering attack chains.
Information disclosure in the Windows Application Identity (AppID) Subsystem exposes sensitive data to locally authenticated, low-privileged attackers across a broad range of Windows 10, Windows 11, and Windows Server versions. The CVSS vector (AV:L/AC:L/PR:L/UI:N) confirms that exploitation requires only a local session with standard user privileges - no elevated rights or user interaction needed. No public exploit code or CISA KEV listing has been identified at time of analysis, but the wide affected surface spanning consumer and server SKUs makes patching a meaningful priority in multi-user or shared-system environments.
Local privilege escalation in Microsoft Windows SDK enables an authenticated low-privileged attacker to elevate to higher privileges by exploiting a use-after-free memory corruption flaw. The CVSS 7.8 (AV:L/AC:L/PR:L) profile reflects local attack with low complexity and low privileges required, yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Local privilege escalation in Microsoft Windows Internet (wininet.dll) allows an authenticated low-privileged attacker to elevate to higher privileges by triggering an integer overflow condition. With a CVSS score of 7.8 and full impact on confidentiality, integrity, and availability, this flaw represents a meaningful post-compromise risk on affected Windows systems, though no public exploit identified at time of analysis. The vulnerability has been reported by Microsoft's own security team (secure@microsoft.com), indicating internal discovery and coordinated disclosure.
Security feature bypass in Windows Secure Boot enables a high-privileged local attacker to circumvent boot-time integrity protections, undermining the chain of trust that prevents unauthorized firmware and bootloader code from executing. The flaw (CWE-693, Protection Mechanism Failure) carries a CVSS 7.9 rating driven by scope change and high confidentiality/integrity impact, and no public exploit identified at time of analysis. Because Secure Boot is the foundation for downstream protections like BitLocker, Virtualization-Based Security, and Measured Boot, bypass enables persistent pre-OS implants that survive reimaging.
Local privilege escalation in Windows Collaborative Translation Framework permits an authorized low-privileged user to gain elevated rights on affected Windows systems by abusing improper symbolic link resolution before file access. The flaw yields high confidentiality, integrity, and availability impact (CVSS 7.8) but requires existing local access. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution in Microsoft Exchange Server allows an unauthenticated network-based attacker to execute arbitrary code on the mail server through code injection, though successful exploitation requires user interaction and faces high attack complexity. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. The vulnerability is rated CVSS 7.5 with full confidentiality, integrity, and availability impact on a compromised Exchange host.
Privilege escalation via server-side request forgery in Microsoft Exchange Server allows an authenticated attacker with low-level network access to coerce the Exchange server into making attacker-controlled requests, resulting in high impact to confidentiality, integrity, and availability. The flaw is network-exploitable with low complexity (CVSS 8.8) but requires prior authentication, and no public exploit identified at time of analysis. As a Microsoft-discovered issue (reported by secure@microsoft.com), it is consistent with the broader pattern of Exchange SSRF chains used to pivot to elevated mailbox or domain access.
Server-side request forgery in Microsoft Exchange Server allows an authenticated attacker with low privileges to coerce the Exchange server into making arbitrary outbound requests, resulting in disclosure of sensitive information and potential integrity impact across internal network resources. The CVSS 8.1 score reflects the high confidentiality and integrity impact from a network-reachable, low-complexity attack, though no public exploit identified at time of analysis. The vulnerability is tagged as an Authentication Bypass / SSRF, suggesting the SSRF primitive may be leveraged to bypass network-based authentication boundaries (e.g., reaching internal trusted endpoints).
Server-side request forgery in Microsoft Exchange Server enables an authenticated low-privilege attacker to coerce the server into issuing outbound network requests to internal or external resources, resulting in information disclosure. Affected deployments span Exchange Server 2016 CU23, Exchange Server 2019 CU14 and CU15, and the current Subscription Edition - all at versions below their respective patched builds. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis, but the Changed scope in the CVSS vector indicates the server can reach resources beyond its own trust boundary, amplifying reconnaissance value for an already-authenticated adversary.
Cross-site scripting and server-side request forgery in Microsoft Exchange Server enables authenticated low-privilege network attackers to perform spoofing and exfiltrate sensitive information. Affected are Exchange Server 2016 CU23, 2019 CU14, 2019 CU15, and the Subscription Edition RTM release lines, all below their respective patched cumulative update builds. No public exploit identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though Microsoft has released patches across all affected branches.
Cross-site scripting in Microsoft Exchange Server's web interface enables unauthenticated remote attackers to perform spoofing attacks against users of Exchange Server 2016, 2019, and Subscription Edition. The CVSS vector (PR:N/UI:R/S:C) indicates no attacker authentication is required, but a victim must interact with a crafted link, and the Changed Scope means injected scripts can cross browser security boundaries within the Exchange session. No public exploit has been identified at time of analysis, and vendor-released patches are available addressing all affected cumulative update branches.
Local code execution in Microsoft Office Word is possible when a user opens a maliciously crafted document that triggers an untrusted pointer dereference (CWE-416 use-after-free). The flaw lets an unauthorized attacker execute arbitrary code in the context of the current user, and no public exploit identified at time of analysis. Risk hinges on user interaction (UI:R), making phishing-style document delivery the realistic attack pathway.
Out-of-bounds read in Microsoft Office and SharePoint Server exposes low-level memory contents to a local attacker when a victim opens a crafted document. Affected products span Microsoft 365 Apps for Enterprise, Office 2016/2019/LTSC 2021/2024, Office for Mac variants, and SharePoint Server 2016/2019/Subscription Edition - all at version 16.0.x baselines. The CVSS score of 3.3 (Low) reflects constrained impact: confidentiality is only partially affected, integrity and availability are untouched, and exploitation requires both local access and user interaction. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Privilege escalation in Microsoft Office SharePoint allows an authenticated network attacker to elevate privileges by submitting maliciously crafted serialized data that the server deserializes without proper validation. The CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability combined with low attack complexity, though the PR:L requirement means the attacker must already hold at least a low-privileged SharePoint account. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Stored or reflected cross-site scripting in Microsoft SharePoint Server (the platform underlying Office Project Server) enables an authenticated low-privileged attacker to inject malicious script into web-rendered content, facilitating spoofing attacks against other users. The CVSS vector (PR:L/UI:R) confirms exploitation requires an authenticated account and victim interaction, constraining opportunistic use. No public exploit code has been identified at time of analysis, a vendor patch has been released, and no CISA KEV listing is present.
Stored or reflected cross-site scripting in Microsoft Office SharePoint allows an authenticated low-privileged attacker to inject script that executes in another user's browser session, enabling spoofing and high-impact disclosure or modification of data rendered in the victim's context. The CVSS 7.3 vector requires user interaction and existing access to the SharePoint site, and no public exploit identified at time of analysis. The flaw is consistent with the CWE-79 class of input neutralization failures during web page generation.
Cross-site scripting in Microsoft SharePoint allows an authenticated network attacker to perform spoofing attacks by injecting malicious script into web page content. Affected products include SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition across all builds below their respective patched versions. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; the CVSS score of 4.6 reflects the mandatory user interaction and constrained confidentiality/integrity impact.
Local code execution in Microsoft Office is possible through a heap-based buffer overflow (CWE-122) that an unauthenticated attacker can trigger when a user opens a crafted document. The CVSS 3.1 base score of 7.8 reflects high impact to confidentiality, integrity, and availability, with required user interaction limiting mass exploitation. There is no public exploit identified at time of analysis and the issue is not currently listed on the CISA KEV catalog.
Local code execution in Microsoft Office is possible through a heap-based buffer overflow that an unauthorized attacker can trigger without user interaction. The flaw carries a CVSS 3.1 score of 8.4 with high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Despite requiring local access, the absence of authentication and user-interaction requirements makes this a notable priority for endpoint patching cycles.
Local code execution in Microsoft Office via a heap-based buffer overflow allows an unauthorized attacker to run arbitrary code with the privileges of the user opening a malicious document. The CVSS vector (AV:L/PR:N/UI:N) indicates local attack vector without required authentication or user interaction, an unusual combination that warrants verification against the vendor advisory. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Local code execution in Microsoft Office Word enables an attacker to run arbitrary code in the context of the current user by tricking them into opening a malicious document that triggers an untrusted pointer dereference. With a CVSS 7.8 score and no public exploit identified at time of analysis, the flaw is exploited locally but unauthenticated, relying on user interaction to open a crafted file. Microsoft has issued an advisory via the MSRC Security Update Guide.
Local code execution in Microsoft Office Excel results from an integer underflow (CWE-122 heap-based) that allows an unauthorized attacker to run arbitrary code in the context of the user opening a crafted spreadsheet. The CVSS 7.8 score reflects local attack vector with required user interaction, and no public exploit identified at time of analysis. Microsoft (secure@microsoft.com) is the originating CNA, and the issue is tagged as a buffer/heap overflow class flaw.
Cross-site scripting in Microsoft SharePoint Server allows an authenticated low-privileged attacker to inject malicious scripts into SharePoint-generated web pages, enabling spoofing attacks against other authenticated users over the network. Three product lines are confirmed affected: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, each with specific patched build thresholds. No public exploit code has been identified at time of analysis, and Microsoft has released patches for all three product lines.
Stored or reflected cross-site scripting in Microsoft SharePoint on-premises deployments enables an authenticated attacker to perform spoofing attacks against other users over a network. Affected products span three major on-premises release lines: SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. The CVSS vector (PR:L, UI:R) confirms exploitation requires a low-privileged authenticated account and victim user interaction, meaningfully constraining opportunistic attack. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis.
Heap-based buffer overflow in Microsoft Office Word exposes limited local memory contents when a user opens a specially crafted document. Affecting multiple Office product lines including Microsoft 365 Apps for Enterprise, Office LTSC 2021, LTSC 2024, and their Mac counterparts, the vulnerability carries a CVSS score of 3.3 (Low) and is constrained to confidentiality impact only, with no integrity or availability consequences. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Cross-site scripting in Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition enables network-based spoofing attacks by injecting malicious scripts into rendered web page output. The vulnerability carries a CVSS 5.4 (Medium) score with low attack complexity and no privilege requirement per the CVSS vector, but requires victim user interaction - a pattern consistent with reflected or stored XSS leading to in-browser script execution within a trusted SharePoint domain. No public exploit code or CISA KEV listing has been identified at time of analysis, though the broad enterprise deployment footprint of SharePoint elevates real-world relevance beyond the moderate CVSS score.
Cross-site scripting in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) enables a network-based attacker to perform spoofing by injecting malicious script into web page generation, affecting the confidentiality and integrity of victim sessions. The attack requires user interaction - a victim must click or load attacker-controlled content - which limits opportunistic exploitation but makes it viable via phishing or social engineering. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis; however, vendor-released patches are confirmed across all three affected release lines.
Local code execution in Microsoft Office is possible via a heap-based buffer overflow that an unauthorized attacker can trigger without user interaction, yielding full confidentiality, integrity, and availability impact on the host. The flaw is rated 8.4 (CVSS:3.1) and was disclosed by Microsoft's Security Response Center, but no public exploit has been identified at the time of analysis. Despite the CWE-121 tagging as a stack overflow, the description and CWE-122 class indicate the corruption occurs on the heap, so defenders should treat this as a memory-corruption RCE-class issue requiring prompt patching.
Stored or reflected cross-site scripting in Microsoft SharePoint Server enables an authenticated network attacker to perform spoofing attacks against other users by injecting malicious script into web page output. Affected products span three SharePoint Server product lines - 2016 Enterprise, 2019, and Subscription Edition - all on build version 16.0.x below their respective patched thresholds. Microsoft has released patches across all affected branches; no public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Local code execution in Microsoft Office via a heap-based buffer overflow that lets an unauthorized attacker run arbitrary code in the context of the current user. The flaw carries a CVSS 8.4 rating driven by high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Despite the 'unauthorized' wording, the CVSS vector specifies a local attack vector, indicating the attacker must already be able to deliver a crafted file or run code on the target system.
Out-of-bounds read (buffer over-read) in Microsoft Office exposes sensitive memory contents to a local attacker who can induce a user to open a specially crafted file. Affecting a broad surface including Microsoft 365 Apps for Enterprise, Office LTSC 2021/2024, Office 2019, and mobile/Mac variants, the vulnerability carries a CVSS 4.7 (Medium) with high confidentiality impact but no integrity or availability consequence. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the wide deployment footprint of Microsoft Office makes even targeted information disclosure attacks operationally significant.
Excel across multiple Microsoft Office product lines fails to properly enforce an internal protection mechanism, enabling a local attacker to bypass a security feature and access limited confidential data within the process context. Affected builds span Microsoft 365 Apps for Enterprise, Office LTSC 2024, and Mac variants of Office. With a CVSS score of 3.3, this is a low-severity finding - no public exploit has been identified at time of analysis, and exploitation requires both local system access and deliberate user interaction.
Local code execution in Microsoft Office via a type confusion flaw (CWE-416) permits unauthorized attackers to run arbitrary code in the context of the Office process without requiring privileges or user interaction. The issue carries a high CVSS 3.1 score of 8.4 with full impact across confidentiality, integrity, and availability, though exploitation requires local attack vector access to the target system. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Local code execution in Microsoft Office Word is possible through an untrusted pointer dereference (CWE-125 out-of-bounds read) that an attacker can trigger by convincing a user to open a malicious document. The CVSS 7.8 vector (AV:L/AC:L/PR:N/UI:R) reflects high impact to confidentiality, integrity, and availability once the booby-trapped file is opened, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local code execution in Microsoft Office stems from a type confusion (CWE-843) flaw that allows an unauthenticated attacker with local access to run arbitrary code in the context of the Office process. The CVSS 8.4 score reflects high impact on confidentiality, integrity, and availability without requiring privileges or user interaction, though the attack vector is local. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.
Out-of-bounds read in Microsoft Excel exposes limited memory contents to a local attacker when a user opens a specially crafted workbook. Affected product lines span Excel 2016, Office 2019, Office LTSC 2021/2024, Microsoft 365 Apps for Enterprise, Office Online Server, and multiple Mac variants. With a CVSS score of 3.3 (Low), no public exploit identified at time of analysis, and no CISA KEV listing, this is a low-urgency information disclosure issue - though a notable conflict exists between the description's claim of network-based disclosure and the CVSS AV:L (local) vector that warrants verification against the vendor advisory.
Path traversal in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) enables an authenticated low-privileged attacker to execute code over a network by escaping the intended directory scope. Affected builds span all three actively maintained SharePoint Server product lines, with vendor-confirmed patches available for each. No public exploit code has been identified at time of analysis, and this CVE is not currently listed in the CISA KEV catalog; however, the low attack complexity (AC:L) and no user interaction requirement (UI:N) make it a credible target for exploitation once an attacker has any valid SharePoint credential.
Cross-site scripting in Microsoft SharePoint Server on-premises deployments (2016, 2019, and Subscription Edition) enables network-based spoofing attacks by injecting malicious script into pages rendered within victims' browser sessions. All three actively supported SharePoint on-premises product lines are affected across broad version ranges, with fixed releases confirmed in the June 2026 patch cycle. No public exploit code has been identified at time of analysis and the vulnerability is absent from the CISA KEV catalog, but low attack complexity and wide enterprise deployment footprint make prompt patching a reasonable priority.
Local code execution in Microsoft Office is possible through a heap-based buffer overflow (CWE-122) that triggers when a user opens or previews a maliciously crafted document. The CVSS 7.8 score reflects local attack vector with required user interaction, and no public exploit identified at time of analysis. Successful exploitation yields full confidentiality, integrity, and availability impact in the context of the current user.
Local code execution in Microsoft Office Excel stems from an integer underflow that, when triggered by opening a crafted spreadsheet, allows an attacker to run arbitrary code in the context of the current user. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R) confirms exploitation requires the victim to open a malicious file, and there is no public exploit identified at time of analysis. With a base score of 7.8 and full confidentiality, integrity, and availability impact, successful exploitation effectively gives the attacker the victim's privileges on the host.
Information disclosure in Microsoft Office Excel allows remote unauthenticated attackers to read out-of-bounds memory over a network, potentially exposing sensitive data from process memory. The CVSS 8.2 score reflects high confidentiality impact with no authentication or user interaction required per the CVSS vector. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Out-of-bounds read in Microsoft Office triggers local information disclosure when a victim opens a crafted document, exposing adjacent memory contents with high confidentiality impact. The vulnerability spans a wide product surface including Office 2016 through LTSC 2024, Microsoft 365 Apps for Enterprise, multiple SharePoint Server versions, and Mac variants, as confirmed by EUVD-2026-35664. No public exploit or CISA KEV listing is identified at time of analysis; vendor-released patches are available across affected product lines.
Local code execution in Microsoft Office Excel stems from an integer underflow condition that can be triggered when a victim opens a malicious spreadsheet, leading to out-of-bounds memory access (CWE-125). The flaw requires user interaction but no prior authentication on the target, and no public exploit identified at time of analysis. With a CVSS of 7.8 (high) and the typical phishing-friendly delivery model of Office files, this fits the profile of a document-based client-side RCE primitive.
Local code execution in Microsoft Office is possible when a user opens a maliciously crafted document that triggers a heap-based buffer overflow (CWE-122), allowing the attacker to run arbitrary code in the context of the opened Office process. The CVSS 7.8 (AV:L/AC:L/PR:N/UI:R) reflects a user-interaction-driven local exploit rather than a remote network attack, and no public exploit identified at time of analysis. The flaw was reported through Microsoft Security Response Center (secure@microsoft.com) and is tracked in MSRC's update guide.
Local code execution in Microsoft Office Excel can be achieved by an unauthenticated attacker who tricks a user into opening a malicious spreadsheet that triggers an integer underflow condition. The flaw carries a CVSS 7.0 rating reflecting high attack complexity and required user interaction, and no public exploit identified at time of analysis. There is a notable mismatch between the description (integer underflow) and the assigned CWE-362 (race condition), which warrants verification with Microsoft's advisory.
Local code execution in Microsoft Office Excel arises from an integer underflow condition that corrupts memory when a malicious spreadsheet is opened. The flaw requires user interaction (UI:R) to trigger but needs no prior authentication, enabling attackers to run arbitrary code in the security context of the victim user. At the time of analysis, no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution in the Windows DHCP Client is possible when a stack-based buffer overflow (CWE-121) is triggered by a crafted DHCP server response, allowing an unauthorized network attacker to run arbitrary code with no user interaction. The flaw carries a CVSS 9.8 critical rating reflecting network reachability, low complexity, and full impact on confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Because the DHCP client runs early in the network stack on virtually every Windows host, successful exploitation grants attacker-controlled code execution in a highly privileged context.
Out-of-bounds heap read in the Windows Desktop Window Manager (DWM) Core Library on Windows 11 26H1 enables authenticated local attackers to disclose high-confidence confidentiality data without user interaction. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms low-complexity local exploitation limited to a single authenticated session, with no integrity or availability impact. No public exploit code has been identified at time of analysis, and the vulnerability does not appear in the CISA KEV catalog.
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library enables an authenticated low-privilege attacker to gain elevated rights through a use-after-free memory corruption flaw. The issue carries a CVSS 7.8 (High) rating with total confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. CISA SSVC scoring marks exploitation as 'none' and not automatable, suggesting limited real-world activity despite the severe technical impact.
Local code execution in Microsoft Windows Win32K GRFX (graphics) subsystem allows an attacker with low-privilege local access to run arbitrary code by triggering an integer overflow, after coaxing a user into interacting with a crafted graphics object. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, though Win32K bugs historically attract rapid exploit development for privilege escalation in post-compromise chains.
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library allows an authenticated low-privileged user to elevate to higher privileges on the host by triggering a use-after-free condition. The flaw was reported by Microsoft (MSRC) and carries a CVSS 7.8 with no public exploit identified at time of analysis. EPSS data was not provided and the issue is not currently listed in CISA KEV.
Local privilege escalation in Windows Cryptographic Services on Windows 11 (23H2 through 26H1) and Windows Server 2022/2025 allows a low-privileged authenticated user to elevate to higher privileges through an improper authentication flaw (CWE-287). Microsoft has released patches via MSRC, and while no public exploit identified at time of analysis, CISA SSVC rates the technical impact as total, meaning successful exploitation yields full system compromise. EPSS probability is very low (0.06%), reflecting the local attack vector and absence of known exploitation activity.
Local privilege escalation in the Windows Common Log File System (CLFS) Driver allows an authenticated low-privileged attacker to elevate to SYSTEM via a use-after-free memory corruption flaw. The vulnerability carries a CVSS 7.8 rating with high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. CLFS has a long history of being targeted for kernel-level privilege escalation, making this class of bug a recurring concern for Windows defenders.
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library stems from a use-after-free condition (CWE-122) that lets an authenticated low-privileged user gain elevated rights on affected Windows systems. The flaw was reported by Microsoft (secure@microsoft.com) and tracked via MSRC, with no public exploit identified at time of analysis and no CISA KEV listing. CVSS 7.8 reflects high impact on confidentiality, integrity, and availability once the attacker has local foothold.
Local privilege escalation in Microsoft Windows Desktop Window Manager (DWM) Core Library allows an authenticated low-privileged user to elevate to SYSTEM via a use-after-free memory corruption flaw. CVSS 7.8 with high impact to confidentiality, integrity, and availability, but currently no public exploit identified at time of analysis and CISA SSVC rates exploitation status as 'none' with automation as 'no'.
Use-after-free in the Windows Network Controller (NC) Host Agent enables a locally authenticated attacker to crash the service, resulting in a denial of service on affected Windows Server deployments. The vulnerability carries a CVSS score of 5.5 (Medium) with local attack vector and low-privilege requirements, limiting its blast radius to service availability - confidentiality and integrity are unaffected. No public exploit code exists and CISA KEV listing is absent at time of analysis, though a vendor patch from Microsoft is available and should be prioritized on Windows Server deployments leveraging Software Defined Networking.
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library allows an authenticated low-privileged user to elevate to higher privileges by exploiting a use-after-free memory corruption flaw (CWE-416). The issue was reported by Microsoft's security team (secure@microsoft.com) and tracked via MSRC, with no public exploit identified at time of analysis. Successful exploitation yields full confidentiality, integrity, and availability impact on the local host.
Local code execution in the Windows Win32K GRFX (graphics) subsystem allows an unauthorized attacker with the ability to run code locally to escalate privileges through an integer overflow. The flaw was reported by Microsoft (MSRC) and carries a CVSS 7.8, but requires user interaction (UI:R) and local access (AV:L), and no public exploit identified at time of analysis.
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library allows an authenticated low-privilege attacker to gain higher privileges through a use-after-free memory corruption flaw. The vulnerability carries a CVSS score of 7.8 with high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Successful exploitation typically yields SYSTEM-level code execution on the affected Windows host.