Microsoft
Monthly
Windows File Explorer on a wide range of Microsoft Windows client and server versions exposes sensitive information to locally authenticated standard users, achieving high confidentiality impact without requiring elevated privileges. The flaw (CWE-200) is confined to the local attack surface - CVSS AV:L/PR:L - meaning the attacker must already hold an interactive session on the target system. No public exploit code and no CISA KEV listing have been identified at time of analysis; a vendor patch is available through Microsoft Security Response Center.
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Runtime (WinRT) component of Windows 10, Windows 11, and Windows Server allows an authenticated attacker to run arbitrary code with elevated (SYSTEM-level) privileges by triggering a use-after-free memory-corruption condition (CWE-416). Microsoft has released a patch, but there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. The CVSS 3.1 score of 7.8 (High) with a fully local vector reflects meaningful post-compromise impact but requires the attacker to already have a foothold on the host.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) allows an already-authenticated local attacker to gain elevated (SYSTEM-level) privileges across a broad range of Windows client and server releases from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. Reported internally by Microsoft with a patch available, the flaw carries CVSS 7.8 with full confidentiality, integrity, and availability impact but no confirmed active exploitation; no public exploit identified at time of analysis.
Remote code execution in the Microsoft Message Queuing (MSMQ) Queue Manager affects a broad range of Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. An unauthenticated network attacker who can reach the MSMQ service (TCP 1801) can trigger a use-after-free (CWE-416) in the Queue Manager to execute arbitrary code in the service context. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the high CVSS (8.1), network attack vector, and lack of any authentication requirement make patched deployment urgent; exploitation is tempered by the High attack complexity (AC:H).
Local integrity and availability tampering in the Microsoft Windows DNS component affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 (including Server Core), where an authorized attacker with low privileges can abuse improper access control to modify DNS data or disrupt the service. Microsoft self-reported the issue and has released a patch. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, so exploitation would currently require local access on an already-compromised or shared host.
Local privilege escalation in Microsoft Windows Resilient File System (ReFS) lets an authenticated local attacker gain elevated (SYSTEM-level) privileges by triggering an untrusted pointer dereference in the ReFS driver. It affects a broad range of Windows 10, Windows 11, and Windows Server 2016-2025 builds. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, so risk is currently patch-and-move rather than emergency.
Exposure of sensitive information to an unauthorized actor in Windows Overlay Filter allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Overlay Filter (WOF) driver affects a broad range of Windows client and server releases, from Windows 10 1607 and Server 2012 R2 through Windows 11 26H1 and Server 2025. An authenticated local attacker with low privileges can trigger a buffer over-read (CWE-126) in the filter to elevate to higher privileges, gaining full confidentiality, integrity, and availability impact on the host. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows NTFS file-system driver lets an authenticated low-privileged user gain elevated (likely SYSTEM) privileges by exploiting an incorrect conversion between numeric types (CWE-681). Affected platforms span Windows 10 (1607 through 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2012 through 2025. Microsoft reported the flaw and has shipped a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Brokering File System component affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a use-after-free memory corruption (CWE-416) lets an already-authenticated local user elevate to higher privileges. Microsoft rates it CVSS 7.8 with full confidentiality, integrity, and availability impact, and has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Windows Routing and Remote Access Service (RRAS) allows a low-privileged authenticated user to elevate to higher privileges on affected Windows 10, Windows 11, and Windows Server 2012 through 2025 systems. The flaw stems from a missing authentication check on a critical RRAS function (CWE-306), letting an already-authorized local attacker invoke privileged functionality without proper authorization. Microsoft has released a patch; there is no public exploit identified at time of analysis.
Buffer over-read in Windows Print Spooler Components allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Sensor Data Service allows an authenticated low-privileged user to gain full SYSTEM-level control on affected Windows 10, Windows 11, and Windows Server (2019-2025) systems. The flaw stems from incorrect access to an indexable resource (a range/bounds error, CWE-118) and yields high confidentiality, integrity, and availability impact per the CVSS 7.8 vector. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but Microsoft has released a patch.
Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges with a physical attack.
Local privilege escalation in the Windows Connected User Experiences and Telemetry service (DiagTrack) lets an already-authenticated user run arbitrary code with SYSTEM-level rights by triggering a CWE-843 type-confusion condition. The flaw affects a broad range of currently-supported Windows client and server builds, from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows NTFS file-system driver lets an already-authenticated low-privileged user read memory outside allocated bounds (CWE-125) to gain elevated privileges. It affects a broad Windows fleet spanning Windows 10 (1607 through 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2012 through 2025. Reported by Microsoft with a patch available; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Privilege escalation in Windows Runtime (WinRT) via a use-after-free memory corruption flaw enables a locally authenticated low-privilege attacker to elevate to SYSTEM-level access on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. The CVSS scope change (S:C) confirms the exploit crosses a security boundary, yielding full confidentiality, integrity, and availability impact beyond the originating process. No public exploit identified at time of analysis; Microsoft has released a patch via MSRC.
Local privilege escalation in the Windows Runtime affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a race condition (CWE-362) in the improperly synchronized handling of a shared resource lets an already-authenticated attacker win a timing window to gain higher privileges. Microsoft reported and patched the issue; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 8.8 with scope-changed impact reflects that a low-privileged local user could reach full SYSTEM-level control of confidentiality, integrity, and availability.
Elevation of privilege in the Microsoft Windows RPC API lets an unauthenticated attacker on an adjacent network gain higher privileges by exploiting an improper authentication weakness (CWE-287), provided a user is lured into an interaction. The flaw spans a broad range of client and server builds from Windows Server 2012 through Windows Server 2025 and Windows 10 1607 through Windows 11 26H1. No public exploit identified at time of analysis; the issue was reported by Microsoft, which has released a fix.
Local privilege escalation in Windows User Interface Core (UI Core) affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a relative path traversal flaw lets an already-authenticated low-privileged user escalate to higher privileges on the local machine. The CVSS 3.1 score of 7.8 reflects full confidentiality, integrity, and availability impact once triggered, though attack requires local access and existing low-level privileges. Reported by Microsoft with a patch available; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Projected File System (ProjFS) driver lets an authenticated low-privileged attacker abuse a symbolic-link/junction race (CWE-59 link following) to redirect a privileged file operation and gain SYSTEM-level rights across Windows 10 (1809-22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2019/2022/2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Privilege escalation in Windows Remote Desktop Services (RDS) lets an authenticated, low-privileged attacker elevate to higher privileges across a network by triggering a use-after-free (CWE-416) memory-corruption condition in the RDS component. The flaw spans a broad range of supported Windows client and server releases (Windows 10/11 and Windows Server 2012 through 2025). Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local code execution in Microsoft Windows NTFS (the New Technology File System driver) arises from a heap-based buffer overflow that lets an attacker run arbitrary code with the privileges of the affected process. The flaw affects a broad swath of supported Windows client and server builds, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. Microsoft (the reporter) has shipped a patch; there is no public exploit identified at time of analysis, and the CVSS vector requires local access plus user interaction, so it is a privilege-escalation/code-execution primitive rather than a remotely-wormable bug.
Out-of-bounds read in Windows DWM Core Library allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Kernel affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 (including Server Core), where an authorized attacker can exploit a use-after-free (CWE-416) memory-corruption condition to elevate privileges to SYSTEM. The flaw was reported by Microsoft, which has released a patch, and carries a CVSS 7.8 rating driven entirely by high confidentiality, integrity, and availability impact once local access is obtained. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local code execution in the Windows DirectX graphics component (CVE-2026-50382) lets an already-authenticated user run arbitrary code and, because the CVSS scope is Changed, break out of the calling security context to compromise the wider system. It affects a broad range of Windows client and server builds from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025. Microsoft has issued a patch; there is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Exposure of sensitive information to an unauthorized actor in Windows Cryptographic Services allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows OLE (Object Linking and Embedding) component allows an already-authenticated, low-privileged user on affected Windows and Windows Server builds to elevate to higher privileges through an improper authorization check (CWE-285). Microsoft has released a patch, and no public exploit has been identified at time of analysis. Impact is high across confidentiality, integrity, and availability, though exploitation requires prior local code execution.
Buffer over-read in Windows RDP allows an unauthorized attacker to disclose information over a network.
Exposure of sensitive information to an unauthorized actor in Windows Notification allows an authorized attacker to disclose information locally.
Local privilege elevation in the Windows Graphics Device Interface (GDI) component allows an already-authenticated, low-privileged user to run code at a higher privilege level by triggering a stack-based buffer overflow (CWE-121). Affected platforms span Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025, including Server Core installations. Reported by Microsoft with a patch available; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local code execution in the Microsoft Windows NTFS file-system driver lets an attacker run arbitrary code by triggering a heap-based buffer overflow (CWE-122) when Windows parses crafted file-system metadata. The flaw spans a broad range of supported releases, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. It carries a CVSS 7.8 (Important) rating, requires user interaction, has a vendor patch available, and no public exploit identified at time of analysis.
Local privilege escalation in the Windows Filtering Platform (WFP) lets an authenticated low-privileged user gain higher privileges on affected Windows 10, Windows 11, and Windows Server systems (Server 2012 through Server 2025). Rooted in insufficient access-control granularity (CWE-1220), a local attacker with a valid session can manipulate WFP to reach SYSTEM-level access. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft rates the confidentiality, integrity, and availability impact as High.
Local privilege escalation in the Microsoft Windows Kernel lets an already-authenticated attacker win a use-after-free race (CWE-416) to gain SYSTEM-level control, affecting a broad range of client and server builds from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch and there is no public exploit identified at time of analysis. The moderate 7.0 score reflects high attack complexity (a timing-dependent race) offset by full confidentiality, integrity and availability impact once triggered.
Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.
Out-of-bounds read in Windows Cloud Files Mini Filter Driver allows an authorized attacker to disclose information locally.
Local privilege escalation in Windows Key Guard affecting Windows 10 (1809/21H2/22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2019/2022/2025 allows an already-authenticated local attacker to win a race condition (CWE-362) and gain higher privileges. Reported by Microsoft with a patch now available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 7.8 rating reflects full confidentiality, integrity, and availability impact once the timing window is exploited.
Local privilege escalation in the Microsoft Windows Kernel allows an already-authenticated attacker to elevate to SYSTEM-level privileges across a wide range of Windows 10, Windows 11, and Windows Server builds. The flaw stems from improper access control (CWE-284) in kernel-mode code and requires local low-privileged access with no user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the trivial attack complexity and SYSTEM-level impact make it a standard patch-Tuesday priority.
Improper access control in Windows System allows an unauthorized attacker to bypass a security feature locally.
Local privilege escalation in the Windows Group Policy component allows an already-authenticated user to elevate to higher privileges (up to SYSTEM) on affected Windows 10, Windows 11, and Windows Server 2012-2025 systems. The flaw stems from improper privilege management (CWE-269) and is reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. With CVSS 7.8 and full confidentiality, integrity, and availability impact, it is a strong candidate for the monthly patch cycle on endpoints and domain-joined servers.
Local privilege escalation in Microsoft Windows Media (the Windows Media component/codec subsystem) allows an already-authenticated local attacker to elevate to SYSTEM by triggering a use-after-free (CWE-416) memory corruption condition. The flaw affects a broad range of currently-supported Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation in the Windows Runtime component of Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 allows an already-authenticated local attacker to win a race condition and gain higher privileges. The flaw was reported by Microsoft, which has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The high CVSS complexity (AC:H) reflects that the attacker must reliably win a timing window, tempering real-world exploitability despite the full compromise of confidentiality, integrity, and availability once triggered.
Elevation of privilege in Microsoft Windows Runtime (WinRT) lets a remote, unauthenticated attacker win a timing window in a shared-resource race condition and gain higher privileges across a broad range of Windows client and server releases (Windows 10 1809 through Windows 11 26H1 and Windows Server 2019/2022/2025). Microsoft-reported and patched, the flaw carries CVSS 8.1, driven by full confidentiality, integrity, and availability impact but tempered by high attack complexity. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Information disclosure in the Windows Kernel allows a remote, unauthenticated attacker to read out-of-bounds memory and leak sensitive data across all currently supported Windows client and server builds (Windows 10 1809/21H2/22H2, Windows 11 24H2/25H2/26H1, and Windows Server 2019/2022/2025). The CVSS 3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N, high confidentiality impact only). There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-privilege, no-interaction profile makes it a broadly applicable patch-now item.
Elevation of privilege in the Windows Media component of Windows 11 (versions 24H2, 25H2, and 26H1) allows an authorized attacker to win a race condition and gain higher privileges over a network. The CVSS 3.1 base score is 7.5 with full confidentiality, integrity, and availability impact, though the high attack complexity reflects the timing precision needed to exploit the flaw. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Elevation of privilege in the Windows Media component of Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 allows an already-authorized (PR:L) network attacker to win a race condition and gain higher privileges, with full confidentiality, integrity, and availability impact. Microsoft self-reported the flaw and has released a patch; there is no public exploit identified at time of analysis and it is not on the CISA KEV list. High attack complexity (AC:H) reflects the timing precision needed to exploit the race reliably.
Elevation of privilege in the Windows Media component of Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 allows an authenticated attacker to win a race condition and gain higher privileges over the network. The CVSS 3.1 score of 8.8 reflects low-privilege network exploitation with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and this CVE is not listed in CISA KEV, though Microsoft has released a patch.
Local privilege escalation in the Windows Media component of Windows 11 (versions 24H2, 25H2, and 26H1) allows an already-authenticated low-privileged user to run code with elevated (typically SYSTEM) rights by triggering a heap-based buffer overflow. Microsoft, the reporting party, has released a patch through its Update Guide. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, so there is no evidence of active exploitation, though EIP-class memory-corruption bugs in core OS components are attractive follow-on targets after initial access.
Local privilege escalation in Microsoft Windows via the LUAFV (LUA File Virtualization, luafv.sys) driver allows an already-authenticated low-privileged user to win a timing race and elevate to SYSTEM/administrator on affected Windows client and server builds. The flaw stems from improper synchronization around a shared resource (CWE-362) and carries a CVSS 7.0 (AV:L/AC:H/PR:L) reflecting a local, high-complexity attack. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a patch.
Local privilege escalation in the Windows Runtime (WinRT) affects a broad range of supported Windows client and server releases, from Windows 10 1809 and Windows Server 2019 through Windows 11 26H1 and Windows Server 2025. An authorized local attacker who can execute low-privilege code can trigger a use-after-free (CWE-416) memory-corruption condition to elevate privileges, yielding full confidentiality, integrity, and availability impact on the host. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Microsoft has released a patch.
Local privilege escalation in Microsoft Windows Runtime (WinRT) affects a broad range of Windows client and server builds, from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025. An authorized local attacker who can run low-privileged code can trigger a use-after-free memory-corruption condition to elevate to higher privileges, with high confidentiality, integrity, and availability impact implying a path to SYSTEM. No public exploit identified at time of analysis, and the flaw is not on CISA KEV; a vendor patch is available.
Local code execution in the Microsoft Windows NTFS driver stems from an out-of-bounds read (CWE-125) that an attacker can leverage to run arbitrary code on affected systems, spanning Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. Exploitation requires local access and user interaction (AV:L/UI:R), typically opening or mounting a maliciously crafted file or volume, but no prior authentication (PR:N). Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation in the Windows DirectX graphics kernel subsystem allows an authenticated attacker to elevate to SYSTEM by triggering a use-after-free (CWE-416) memory-corruption condition across Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. The CVSS 3.1 vector (7.8, AV:L/PR:L) confirms local access and low existing privileges are required with no user interaction, yielding full confidentiality, integrity, and availability impact. Reported by Microsoft with a vendor patch available; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Microsoft Windows Search component lets an already-authenticated low-privilege user gain SYSTEM-level rights through improper access control (CWE-284). It affects all currently supported Windows client and server builds from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV, but Microsoft has released a patch.
Local information disclosure in the Windows Container Isolation FS Filter Driver (unionfs.sys) on Windows 11 version 26H1 allows an authorized low-privileged user to read memory outside intended bounds and disclose sensitive kernel or process data. The flaw was reported by Microsoft, a vendor patch is available, and there is no public exploit identified at time of analysis. CVSS 7.1 (AV:L) reflects local access with low privileges but high confidentiality impact.
Local privilege escalation in the Windows Media component affects a broad range of Microsoft Windows client and server editions (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025). A low-privileged authenticated attacker can abuse a use-after-free (CWE-416) memory corruption flaw to elevate to higher privileges, achieving full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and the flaw is not on CISA KEV, but the high attack complexity (a likely race condition) is the main barrier to reliable exploitation.
Exposure of sensitive information to an unauthorized actor in Windows Win32K allows an authorized attacker to disclose information locally.
Local privilege elevation in the Windows Media component of Windows 11 (versions 24H2, 25H2, and 26H1) allows an already-authenticated local attacker to win a race condition and gain higher privileges on the host. The flaw is a concurrency/synchronization defect (CWE-362) reported by Microsoft itself; no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation is rated high-complexity because the attacker must reliably win a timing window, which tempers the otherwise high confidentiality, integrity, and availability impact.
Elevation of privilege in the Windows Runtime (WinRT) component of Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 allows an authenticated attacker to gain higher privileges by exploiting a use-after-free memory-corruption flaw over the network. Microsoft, who reported the issue, has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The high CVSS (8.5) is driven by a scope change and full confidentiality/integrity/availability impact, though high attack complexity tempers real-world exploitability.
Local privilege escalation in Microsoft Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 lets an already-authenticated, low-privileged attacker win a race condition (CWE-362) over an improperly synchronized shared resource to elevate privileges. Reported by Microsoft itself, the flaw carries a CVSS 7.0 and per SSVC has total technical impact but is not automatable and shows no observed exploitation; no public exploit is identified at time of analysis. EPSS is low at 0.24% (16th percentile), consistent with the high attack complexity of reliably timing the race.
Local privilege elevation in the Windows Brokering File System (bfs.sys/brokering component) lets an authenticated low-privileged user corrupt kernel memory via a double free (CWE-415) to gain SYSTEM-level privileges on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. A Microsoft-released patch is available. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; EPSS data was not provided.
Heap-based buffer overflow in Windows DirectX allows an authorized attacker to elevate privileges locally.
Elevation of privilege in Microsoft Windows (Windows 10 1809/21H2/22H2, Windows 11 24H2/25H2/26H1, and Windows Server 2019/2022/2025) allows a locally authenticated attacker to escalate to higher privileges via an improper access control weakness (CWE-284). An attacker who already holds a low-privilege foothold on the host can gain full confidentiality, integrity, and availability impact over the system. No public exploit identified at time of analysis, though the flaw was reported by Microsoft and a vendor patch is available.
Local privilege escalation in the Windows Runtime (WinRT) affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a race condition (CWE-362) in the handling of a shared resource allows an already-authenticated low-privileged attacker to win a timing window and elevate to higher privileges. Exploitation requires winning a non-deterministic race (AC:H) and low-level access to the target host (PR:L, AV:L), and there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Microsoft has published an advisory and released a patch.
Local privilege escalation in the Windows Runtime (WinRT) component of Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 allows an authenticated local attacker to win a race condition and gain higher privileges. The flaw stems from improper synchronization of a shared resource (CWE-362); successful exploitation yields high confidentiality, integrity, and availability impact. No public exploit is identified at time of analysis, and it is not listed in CISA KEV; Microsoft has released a patch.
Privilege escalation in the Windows Runtime (WinRT) allows a network-based, unauthenticated attacker to win a race condition and gain elevated privileges on affected Windows 10, Windows 11 (through 26H1), and Windows Server 2019-2025 systems. Microsoft self-reported the flaw and has shipped a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS vector (AV:N/AC:H) reflects a real but timing-dependent attack that is non-trivial to reproduce reliably.
Network-based privilege elevation in the Windows Runtime (WinRT) affects a broad range of Microsoft platforms including Windows 10 (1809 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2019/2022/2025. An unauthorized attacker who wins a timing race in the improperly synchronized shared-resource handling can gain elevated privileges, with the vulnerability carrying an implicit authentication-bypass characteristic per vendor tags. No public exploit has been identified at time of analysis, and the high attack complexity (AC:H) reflects the need to reliably win a race window.
Local privilege escalation in the Windows Kernel (CVE-2026-50390) lets an already-authenticated attacker abuse a type-confusion condition to run code with elevated (SYSTEM-level) privileges on affected Windows client and server builds ranging from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. Microsoft has shipped a fix and there is no public exploit identified at time of analysis, but as a kernel EoP it is a classic second-stage building block for turning a foothold into full host compromise. CVSS is 7.0 (High), reflecting high attack complexity but full confidentiality, integrity, and availability impact once triggered.
Out-of-bounds read in Windows Kernel allows an authorized attacker to elevate privileges locally.
Local code execution in Microsoft's Resilient File System (ReFS) driver lets an already-authenticated, low-privileged user on affected Windows 10, Windows 11, and Windows Server 2016–2025 systems escalate to code execution through a numeric truncation flaw (CWE-197). No public exploit has been identified at time of analysis, and it is not on CISA KEV, but Microsoft has released a patch. Note a data conflict: the description states code execution and the CVSS carries C:H/I:H/A:H, yet the vendor tags label it 'Information Disclosure' — the CVSS-backed local elevation-of-privilege reading is treated as authoritative here.
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
Integer overflow or wraparound in Windows Devices Human Interface allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows Push Notifications allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows Push Notifications allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows Push Notifications allows an authorized attacker to disclose information locally.
Local privilege escalation in Windows Image Acquisition (WIA) affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a NULL pointer dereference can be leveraged by an already-authenticated local user to elevate privileges. Microsoft rates it 7.8 (High) with full confidentiality, integrity, and availability impact despite the flaw class typically causing denial of service. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Local privilege escalation in the Windows Internal System User Profile component allows an already-authenticated attacker to gain elevated (SYSTEM-level) privileges by triggering a use-after-free memory corruption condition (CWE-416). The flaw affects Windows 10 (21H2/22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2025 including Server Core. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS 7.8 rating and full high impact on confidentiality, integrity, and availability make it a meaningful patch-cycle priority.
Local privilege escalation in the Microsoft Windows USB driver stack lets an already-authenticated low-privileged user win a race condition (CWE-362) to gain SYSTEM-level control across Windows 10 (1607-22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. EPSS is low (0.19%, 9th percentile) and SSVC rates exploitation as none but technical impact as total, indicating high damage potential if a working exploit is developed.
Local code execution in Microsoft Windows arises from a heap-based buffer overflow in a Windows Data DLL, letting an attacker who can get a victim to open crafted content run arbitrary code with the victim's privileges. Affected builds span Windows 10 (1607 through 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2012 through 2025. Microsoft (the reporter) has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in the Microsoft Windows DHCP Server role allows an unauthenticated, adjacent-network attacker to run arbitrary code by triggering a heap-based buffer overflow (CWE-122) in DHCP message parsing. Affected systems span Windows Server 2012 through Windows Server 2025 (including Server Core installations) plus the DHCP service on Windows 10 versions 1607 and 1809, with full confidentiality, integrity, and availability impact. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation in Windows Kernel-Mode Drivers on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 lets an authenticated local attacker corrupt kernel memory via a use-after-free and gain SYSTEM-level control. Rated CVSS 7.0 (Important) and reported by Microsoft itself; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The high attack complexity (AC:H) reflects the race-condition nature typical of kernel UAF bugs, which tempers real-world exploitability despite full C/I/A impact.
Local privilege escalation in the Microsoft Install Service (Windows Installer) affects supported Windows 10, Windows 11, and Windows Server 2019-2025 builds, letting an already-authenticated local user with limited rights (PR:L) elevate to SYSTEM. The flaw stems from improper privilege management (CWE-269) in how the service handles operations, yielding full confidentiality, integrity, and availability impact. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows Application Model (the subsystem underlying UWP/packaged app lifecycle and activation) lets an authorized attacker with an existing low-privileged foothold gain SYSTEM-level control by triggering a use-after-free memory-corruption condition. All supported Windows client and server builds from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through Server 2025 are affected. This is a Microsoft-reported flaw with a vendor patch available; there is no public exploit identified at time of analysis and it is not on CISA KEV.
Local privilege escalation in the Microsoft Windows Resilient File System (ReFS) driver allows an authenticated attacker to run code with SYSTEM-level privileges by triggering a heap-based buffer overflow. The flaw (CVSS 7.8) affects a broad range of Windows 10, Windows 11, and Windows Server 2016-2025 builds and carries high confidentiality, integrity, and availability impact. It is a Microsoft-reported issue with a vendor patch available, and there is no public exploit identified at time of analysis.
Buffer over-read in Windows NTFS allows an authorized attacker to disclose information locally.
Local code execution in the Windows Media component of Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 allows an authenticated local attacker to run arbitrary code by triggering a heap-based buffer overflow. Successful exploitation yields high confidentiality, integrity, and availability impact within the current security context, and Microsoft has released a patch. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Remote code execution in Microsoft Windows GDI+ (gdiplus) lets an unauthenticated network attacker run arbitrary code when a victim opens or renders a specially crafted image, via a heap-based buffer overflow (CWE-122). The flaw affects a broad range of supported Windows client and server builds (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through 2025). It carries a critical CVSS 9.6 with a scope-changed impact, but requires user interaction and currently has no public exploit identified at time of analysis.
Windows File Explorer on a wide range of Microsoft Windows client and server versions exposes sensitive information to locally authenticated standard users, achieving high confidentiality impact without requiring elevated privileges. The flaw (CWE-200) is confined to the local attack surface - CVSS AV:L/PR:L - meaning the attacker must already hold an interactive session on the target system. No public exploit code and no CISA KEV listing have been identified at time of analysis; a vendor patch is available through Microsoft Security Response Center.
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Runtime (WinRT) component of Windows 10, Windows 11, and Windows Server allows an authenticated attacker to run arbitrary code with elevated (SYSTEM-level) privileges by triggering a use-after-free memory-corruption condition (CWE-416). Microsoft has released a patch, but there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. The CVSS 3.1 score of 7.8 (High) with a fully local vector reflects meaningful post-compromise impact but requires the attacker to already have a foothold on the host.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) allows an already-authenticated local attacker to gain elevated (SYSTEM-level) privileges across a broad range of Windows client and server releases from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. Reported internally by Microsoft with a patch available, the flaw carries CVSS 7.8 with full confidentiality, integrity, and availability impact but no confirmed active exploitation; no public exploit identified at time of analysis.
Remote code execution in the Microsoft Message Queuing (MSMQ) Queue Manager affects a broad range of Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. An unauthenticated network attacker who can reach the MSMQ service (TCP 1801) can trigger a use-after-free (CWE-416) in the Queue Manager to execute arbitrary code in the service context. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the high CVSS (8.1), network attack vector, and lack of any authentication requirement make patched deployment urgent; exploitation is tempered by the High attack complexity (AC:H).
Local integrity and availability tampering in the Microsoft Windows DNS component affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 (including Server Core), where an authorized attacker with low privileges can abuse improper access control to modify DNS data or disrupt the service. Microsoft self-reported the issue and has released a patch. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, so exploitation would currently require local access on an already-compromised or shared host.
Local privilege escalation in Microsoft Windows Resilient File System (ReFS) lets an authenticated local attacker gain elevated (SYSTEM-level) privileges by triggering an untrusted pointer dereference in the ReFS driver. It affects a broad range of Windows 10, Windows 11, and Windows Server 2016-2025 builds. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, so risk is currently patch-and-move rather than emergency.
Exposure of sensitive information to an unauthorized actor in Windows Overlay Filter allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Overlay Filter (WOF) driver affects a broad range of Windows client and server releases, from Windows 10 1607 and Server 2012 R2 through Windows 11 26H1 and Server 2025. An authenticated local attacker with low privileges can trigger a buffer over-read (CWE-126) in the filter to elevate to higher privileges, gaining full confidentiality, integrity, and availability impact on the host. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows NTFS file-system driver lets an authenticated low-privileged user gain elevated (likely SYSTEM) privileges by exploiting an incorrect conversion between numeric types (CWE-681). Affected platforms span Windows 10 (1607 through 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2012 through 2025. Microsoft reported the flaw and has shipped a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Brokering File System component affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a use-after-free memory corruption (CWE-416) lets an already-authenticated local user elevate to higher privileges. Microsoft rates it CVSS 7.8 with full confidentiality, integrity, and availability impact, and has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Windows Routing and Remote Access Service (RRAS) allows a low-privileged authenticated user to elevate to higher privileges on affected Windows 10, Windows 11, and Windows Server 2012 through 2025 systems. The flaw stems from a missing authentication check on a critical RRAS function (CWE-306), letting an already-authorized local attacker invoke privileged functionality without proper authorization. Microsoft has released a patch; there is no public exploit identified at time of analysis.
Buffer over-read in Windows Print Spooler Components allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Sensor Data Service allows an authenticated low-privileged user to gain full SYSTEM-level control on affected Windows 10, Windows 11, and Windows Server (2019-2025) systems. The flaw stems from incorrect access to an indexable resource (a range/bounds error, CWE-118) and yields high confidentiality, integrity, and availability impact per the CVSS 7.8 vector. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but Microsoft has released a patch.
Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges with a physical attack.
Local privilege escalation in the Windows Connected User Experiences and Telemetry service (DiagTrack) lets an already-authenticated user run arbitrary code with SYSTEM-level rights by triggering a CWE-843 type-confusion condition. The flaw affects a broad range of currently-supported Windows client and server builds, from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows NTFS file-system driver lets an already-authenticated low-privileged user read memory outside allocated bounds (CWE-125) to gain elevated privileges. It affects a broad Windows fleet spanning Windows 10 (1607 through 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2012 through 2025. Reported by Microsoft with a patch available; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Privilege escalation in Windows Runtime (WinRT) via a use-after-free memory corruption flaw enables a locally authenticated low-privilege attacker to elevate to SYSTEM-level access on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. The CVSS scope change (S:C) confirms the exploit crosses a security boundary, yielding full confidentiality, integrity, and availability impact beyond the originating process. No public exploit identified at time of analysis; Microsoft has released a patch via MSRC.
Local privilege escalation in the Windows Runtime affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a race condition (CWE-362) in the improperly synchronized handling of a shared resource lets an already-authenticated attacker win a timing window to gain higher privileges. Microsoft reported and patched the issue; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 8.8 with scope-changed impact reflects that a low-privileged local user could reach full SYSTEM-level control of confidentiality, integrity, and availability.
Elevation of privilege in the Microsoft Windows RPC API lets an unauthenticated attacker on an adjacent network gain higher privileges by exploiting an improper authentication weakness (CWE-287), provided a user is lured into an interaction. The flaw spans a broad range of client and server builds from Windows Server 2012 through Windows Server 2025 and Windows 10 1607 through Windows 11 26H1. No public exploit identified at time of analysis; the issue was reported by Microsoft, which has released a fix.
Local privilege escalation in Windows User Interface Core (UI Core) affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a relative path traversal flaw lets an already-authenticated low-privileged user escalate to higher privileges on the local machine. The CVSS 3.1 score of 7.8 reflects full confidentiality, integrity, and availability impact once triggered, though attack requires local access and existing low-level privileges. Reported by Microsoft with a patch available; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Projected File System (ProjFS) driver lets an authenticated low-privileged attacker abuse a symbolic-link/junction race (CWE-59 link following) to redirect a privileged file operation and gain SYSTEM-level rights across Windows 10 (1809-22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2019/2022/2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Privilege escalation in Windows Remote Desktop Services (RDS) lets an authenticated, low-privileged attacker elevate to higher privileges across a network by triggering a use-after-free (CWE-416) memory-corruption condition in the RDS component. The flaw spans a broad range of supported Windows client and server releases (Windows 10/11 and Windows Server 2012 through 2025). Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local code execution in Microsoft Windows NTFS (the New Technology File System driver) arises from a heap-based buffer overflow that lets an attacker run arbitrary code with the privileges of the affected process. The flaw affects a broad swath of supported Windows client and server builds, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. Microsoft (the reporter) has shipped a patch; there is no public exploit identified at time of analysis, and the CVSS vector requires local access plus user interaction, so it is a privilege-escalation/code-execution primitive rather than a remotely-wormable bug.
Out-of-bounds read in Windows DWM Core Library allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Kernel affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 (including Server Core), where an authorized attacker can exploit a use-after-free (CWE-416) memory-corruption condition to elevate privileges to SYSTEM. The flaw was reported by Microsoft, which has released a patch, and carries a CVSS 7.8 rating driven entirely by high confidentiality, integrity, and availability impact once local access is obtained. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local code execution in the Windows DirectX graphics component (CVE-2026-50382) lets an already-authenticated user run arbitrary code and, because the CVSS scope is Changed, break out of the calling security context to compromise the wider system. It affects a broad range of Windows client and server builds from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025. Microsoft has issued a patch; there is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Exposure of sensitive information to an unauthorized actor in Windows Cryptographic Services allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows OLE (Object Linking and Embedding) component allows an already-authenticated, low-privileged user on affected Windows and Windows Server builds to elevate to higher privileges through an improper authorization check (CWE-285). Microsoft has released a patch, and no public exploit has been identified at time of analysis. Impact is high across confidentiality, integrity, and availability, though exploitation requires prior local code execution.
Buffer over-read in Windows RDP allows an unauthorized attacker to disclose information over a network.
Exposure of sensitive information to an unauthorized actor in Windows Notification allows an authorized attacker to disclose information locally.
Local privilege elevation in the Windows Graphics Device Interface (GDI) component allows an already-authenticated, low-privileged user to run code at a higher privilege level by triggering a stack-based buffer overflow (CWE-121). Affected platforms span Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025, including Server Core installations. Reported by Microsoft with a patch available; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local code execution in the Microsoft Windows NTFS file-system driver lets an attacker run arbitrary code by triggering a heap-based buffer overflow (CWE-122) when Windows parses crafted file-system metadata. The flaw spans a broad range of supported releases, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. It carries a CVSS 7.8 (Important) rating, requires user interaction, has a vendor patch available, and no public exploit identified at time of analysis.
Local privilege escalation in the Windows Filtering Platform (WFP) lets an authenticated low-privileged user gain higher privileges on affected Windows 10, Windows 11, and Windows Server systems (Server 2012 through Server 2025). Rooted in insufficient access-control granularity (CWE-1220), a local attacker with a valid session can manipulate WFP to reach SYSTEM-level access. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft rates the confidentiality, integrity, and availability impact as High.
Local privilege escalation in the Microsoft Windows Kernel lets an already-authenticated attacker win a use-after-free race (CWE-416) to gain SYSTEM-level control, affecting a broad range of client and server builds from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch and there is no public exploit identified at time of analysis. The moderate 7.0 score reflects high attack complexity (a timing-dependent race) offset by full confidentiality, integrity and availability impact once triggered.
Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.
Out-of-bounds read in Windows Cloud Files Mini Filter Driver allows an authorized attacker to disclose information locally.
Local privilege escalation in Windows Key Guard affecting Windows 10 (1809/21H2/22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2019/2022/2025 allows an already-authenticated local attacker to win a race condition (CWE-362) and gain higher privileges. Reported by Microsoft with a patch now available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 7.8 rating reflects full confidentiality, integrity, and availability impact once the timing window is exploited.
Local privilege escalation in the Microsoft Windows Kernel allows an already-authenticated attacker to elevate to SYSTEM-level privileges across a wide range of Windows 10, Windows 11, and Windows Server builds. The flaw stems from improper access control (CWE-284) in kernel-mode code and requires local low-privileged access with no user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the trivial attack complexity and SYSTEM-level impact make it a standard patch-Tuesday priority.
Improper access control in Windows System allows an unauthorized attacker to bypass a security feature locally.
Local privilege escalation in the Windows Group Policy component allows an already-authenticated user to elevate to higher privileges (up to SYSTEM) on affected Windows 10, Windows 11, and Windows Server 2012-2025 systems. The flaw stems from improper privilege management (CWE-269) and is reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. With CVSS 7.8 and full confidentiality, integrity, and availability impact, it is a strong candidate for the monthly patch cycle on endpoints and domain-joined servers.
Local privilege escalation in Microsoft Windows Media (the Windows Media component/codec subsystem) allows an already-authenticated local attacker to elevate to SYSTEM by triggering a use-after-free (CWE-416) memory corruption condition. The flaw affects a broad range of currently-supported Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation in the Windows Runtime component of Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 allows an already-authenticated local attacker to win a race condition and gain higher privileges. The flaw was reported by Microsoft, which has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The high CVSS complexity (AC:H) reflects that the attacker must reliably win a timing window, tempering real-world exploitability despite the full compromise of confidentiality, integrity, and availability once triggered.
Elevation of privilege in Microsoft Windows Runtime (WinRT) lets a remote, unauthenticated attacker win a timing window in a shared-resource race condition and gain higher privileges across a broad range of Windows client and server releases (Windows 10 1809 through Windows 11 26H1 and Windows Server 2019/2022/2025). Microsoft-reported and patched, the flaw carries CVSS 8.1, driven by full confidentiality, integrity, and availability impact but tempered by high attack complexity. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Information disclosure in the Windows Kernel allows a remote, unauthenticated attacker to read out-of-bounds memory and leak sensitive data across all currently supported Windows client and server builds (Windows 10 1809/21H2/22H2, Windows 11 24H2/25H2/26H1, and Windows Server 2019/2022/2025). The CVSS 3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N, high confidentiality impact only). There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-privilege, no-interaction profile makes it a broadly applicable patch-now item.
Elevation of privilege in the Windows Media component of Windows 11 (versions 24H2, 25H2, and 26H1) allows an authorized attacker to win a race condition and gain higher privileges over a network. The CVSS 3.1 base score is 7.5 with full confidentiality, integrity, and availability impact, though the high attack complexity reflects the timing precision needed to exploit the flaw. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Elevation of privilege in the Windows Media component of Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 allows an already-authorized (PR:L) network attacker to win a race condition and gain higher privileges, with full confidentiality, integrity, and availability impact. Microsoft self-reported the flaw and has released a patch; there is no public exploit identified at time of analysis and it is not on the CISA KEV list. High attack complexity (AC:H) reflects the timing precision needed to exploit the race reliably.
Elevation of privilege in the Windows Media component of Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 allows an authenticated attacker to win a race condition and gain higher privileges over the network. The CVSS 3.1 score of 8.8 reflects low-privilege network exploitation with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and this CVE is not listed in CISA KEV, though Microsoft has released a patch.
Local privilege escalation in the Windows Media component of Windows 11 (versions 24H2, 25H2, and 26H1) allows an already-authenticated low-privileged user to run code with elevated (typically SYSTEM) rights by triggering a heap-based buffer overflow. Microsoft, the reporting party, has released a patch through its Update Guide. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, so there is no evidence of active exploitation, though EIP-class memory-corruption bugs in core OS components are attractive follow-on targets after initial access.
Local privilege escalation in Microsoft Windows via the LUAFV (LUA File Virtualization, luafv.sys) driver allows an already-authenticated low-privileged user to win a timing race and elevate to SYSTEM/administrator on affected Windows client and server builds. The flaw stems from improper synchronization around a shared resource (CWE-362) and carries a CVSS 7.0 (AV:L/AC:H/PR:L) reflecting a local, high-complexity attack. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a patch.
Local privilege escalation in the Windows Runtime (WinRT) affects a broad range of supported Windows client and server releases, from Windows 10 1809 and Windows Server 2019 through Windows 11 26H1 and Windows Server 2025. An authorized local attacker who can execute low-privilege code can trigger a use-after-free (CWE-416) memory-corruption condition to elevate privileges, yielding full confidentiality, integrity, and availability impact on the host. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Microsoft has released a patch.
Local privilege escalation in Microsoft Windows Runtime (WinRT) affects a broad range of Windows client and server builds, from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025. An authorized local attacker who can run low-privileged code can trigger a use-after-free memory-corruption condition to elevate to higher privileges, with high confidentiality, integrity, and availability impact implying a path to SYSTEM. No public exploit identified at time of analysis, and the flaw is not on CISA KEV; a vendor patch is available.
Local code execution in the Microsoft Windows NTFS driver stems from an out-of-bounds read (CWE-125) that an attacker can leverage to run arbitrary code on affected systems, spanning Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. Exploitation requires local access and user interaction (AV:L/UI:R), typically opening or mounting a maliciously crafted file or volume, but no prior authentication (PR:N). Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation in the Windows DirectX graphics kernel subsystem allows an authenticated attacker to elevate to SYSTEM by triggering a use-after-free (CWE-416) memory-corruption condition across Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. The CVSS 3.1 vector (7.8, AV:L/PR:L) confirms local access and low existing privileges are required with no user interaction, yielding full confidentiality, integrity, and availability impact. Reported by Microsoft with a vendor patch available; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Microsoft Windows Search component lets an already-authenticated low-privilege user gain SYSTEM-level rights through improper access control (CWE-284). It affects all currently supported Windows client and server builds from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV, but Microsoft has released a patch.
Local information disclosure in the Windows Container Isolation FS Filter Driver (unionfs.sys) on Windows 11 version 26H1 allows an authorized low-privileged user to read memory outside intended bounds and disclose sensitive kernel or process data. The flaw was reported by Microsoft, a vendor patch is available, and there is no public exploit identified at time of analysis. CVSS 7.1 (AV:L) reflects local access with low privileges but high confidentiality impact.
Local privilege escalation in the Windows Media component affects a broad range of Microsoft Windows client and server editions (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025). A low-privileged authenticated attacker can abuse a use-after-free (CWE-416) memory corruption flaw to elevate to higher privileges, achieving full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and the flaw is not on CISA KEV, but the high attack complexity (a likely race condition) is the main barrier to reliable exploitation.
Exposure of sensitive information to an unauthorized actor in Windows Win32K allows an authorized attacker to disclose information locally.
Local privilege elevation in the Windows Media component of Windows 11 (versions 24H2, 25H2, and 26H1) allows an already-authenticated local attacker to win a race condition and gain higher privileges on the host. The flaw is a concurrency/synchronization defect (CWE-362) reported by Microsoft itself; no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation is rated high-complexity because the attacker must reliably win a timing window, which tempers the otherwise high confidentiality, integrity, and availability impact.
Elevation of privilege in the Windows Runtime (WinRT) component of Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 allows an authenticated attacker to gain higher privileges by exploiting a use-after-free memory-corruption flaw over the network. Microsoft, who reported the issue, has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The high CVSS (8.5) is driven by a scope change and full confidentiality/integrity/availability impact, though high attack complexity tempers real-world exploitability.
Local privilege escalation in Microsoft Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 lets an already-authenticated, low-privileged attacker win a race condition (CWE-362) over an improperly synchronized shared resource to elevate privileges. Reported by Microsoft itself, the flaw carries a CVSS 7.0 and per SSVC has total technical impact but is not automatable and shows no observed exploitation; no public exploit is identified at time of analysis. EPSS is low at 0.24% (16th percentile), consistent with the high attack complexity of reliably timing the race.
Local privilege elevation in the Windows Brokering File System (bfs.sys/brokering component) lets an authenticated low-privileged user corrupt kernel memory via a double free (CWE-415) to gain SYSTEM-level privileges on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. A Microsoft-released patch is available. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; EPSS data was not provided.
Heap-based buffer overflow in Windows DirectX allows an authorized attacker to elevate privileges locally.
Elevation of privilege in Microsoft Windows (Windows 10 1809/21H2/22H2, Windows 11 24H2/25H2/26H1, and Windows Server 2019/2022/2025) allows a locally authenticated attacker to escalate to higher privileges via an improper access control weakness (CWE-284). An attacker who already holds a low-privilege foothold on the host can gain full confidentiality, integrity, and availability impact over the system. No public exploit identified at time of analysis, though the flaw was reported by Microsoft and a vendor patch is available.
Local privilege escalation in the Windows Runtime (WinRT) affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a race condition (CWE-362) in the handling of a shared resource allows an already-authenticated low-privileged attacker to win a timing window and elevate to higher privileges. Exploitation requires winning a non-deterministic race (AC:H) and low-level access to the target host (PR:L, AV:L), and there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Microsoft has published an advisory and released a patch.
Local privilege escalation in the Windows Runtime (WinRT) component of Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 allows an authenticated local attacker to win a race condition and gain higher privileges. The flaw stems from improper synchronization of a shared resource (CWE-362); successful exploitation yields high confidentiality, integrity, and availability impact. No public exploit is identified at time of analysis, and it is not listed in CISA KEV; Microsoft has released a patch.
Privilege escalation in the Windows Runtime (WinRT) allows a network-based, unauthenticated attacker to win a race condition and gain elevated privileges on affected Windows 10, Windows 11 (through 26H1), and Windows Server 2019-2025 systems. Microsoft self-reported the flaw and has shipped a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS vector (AV:N/AC:H) reflects a real but timing-dependent attack that is non-trivial to reproduce reliably.
Network-based privilege elevation in the Windows Runtime (WinRT) affects a broad range of Microsoft platforms including Windows 10 (1809 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2019/2022/2025. An unauthorized attacker who wins a timing race in the improperly synchronized shared-resource handling can gain elevated privileges, with the vulnerability carrying an implicit authentication-bypass characteristic per vendor tags. No public exploit has been identified at time of analysis, and the high attack complexity (AC:H) reflects the need to reliably win a race window.
Local privilege escalation in the Windows Kernel (CVE-2026-50390) lets an already-authenticated attacker abuse a type-confusion condition to run code with elevated (SYSTEM-level) privileges on affected Windows client and server builds ranging from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. Microsoft has shipped a fix and there is no public exploit identified at time of analysis, but as a kernel EoP it is a classic second-stage building block for turning a foothold into full host compromise. CVSS is 7.0 (High), reflecting high attack complexity but full confidentiality, integrity, and availability impact once triggered.
Out-of-bounds read in Windows Kernel allows an authorized attacker to elevate privileges locally.
Local code execution in Microsoft's Resilient File System (ReFS) driver lets an already-authenticated, low-privileged user on affected Windows 10, Windows 11, and Windows Server 2016–2025 systems escalate to code execution through a numeric truncation flaw (CWE-197). No public exploit has been identified at time of analysis, and it is not on CISA KEV, but Microsoft has released a patch. Note a data conflict: the description states code execution and the CVSS carries C:H/I:H/A:H, yet the vendor tags label it 'Information Disclosure' — the CVSS-backed local elevation-of-privilege reading is treated as authoritative here.
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
Integer overflow or wraparound in Windows Devices Human Interface allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows Push Notifications allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows Push Notifications allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows Push Notifications allows an authorized attacker to disclose information locally.
Local privilege escalation in Windows Image Acquisition (WIA) affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a NULL pointer dereference can be leveraged by an already-authenticated local user to elevate privileges. Microsoft rates it 7.8 (High) with full confidentiality, integrity, and availability impact despite the flaw class typically causing denial of service. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Local privilege escalation in the Windows Internal System User Profile component allows an already-authenticated attacker to gain elevated (SYSTEM-level) privileges by triggering a use-after-free memory corruption condition (CWE-416). The flaw affects Windows 10 (21H2/22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2025 including Server Core. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS 7.8 rating and full high impact on confidentiality, integrity, and availability make it a meaningful patch-cycle priority.
Local privilege escalation in the Microsoft Windows USB driver stack lets an already-authenticated low-privileged user win a race condition (CWE-362) to gain SYSTEM-level control across Windows 10 (1607-22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. EPSS is low (0.19%, 9th percentile) and SSVC rates exploitation as none but technical impact as total, indicating high damage potential if a working exploit is developed.
Local code execution in Microsoft Windows arises from a heap-based buffer overflow in a Windows Data DLL, letting an attacker who can get a victim to open crafted content run arbitrary code with the victim's privileges. Affected builds span Windows 10 (1607 through 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2012 through 2025. Microsoft (the reporter) has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in the Microsoft Windows DHCP Server role allows an unauthenticated, adjacent-network attacker to run arbitrary code by triggering a heap-based buffer overflow (CWE-122) in DHCP message parsing. Affected systems span Windows Server 2012 through Windows Server 2025 (including Server Core installations) plus the DHCP service on Windows 10 versions 1607 and 1809, with full confidentiality, integrity, and availability impact. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation in Windows Kernel-Mode Drivers on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 lets an authenticated local attacker corrupt kernel memory via a use-after-free and gain SYSTEM-level control. Rated CVSS 7.0 (Important) and reported by Microsoft itself; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The high attack complexity (AC:H) reflects the race-condition nature typical of kernel UAF bugs, which tempers real-world exploitability despite full C/I/A impact.
Local privilege escalation in the Microsoft Install Service (Windows Installer) affects supported Windows 10, Windows 11, and Windows Server 2019-2025 builds, letting an already-authenticated local user with limited rights (PR:L) elevate to SYSTEM. The flaw stems from improper privilege management (CWE-269) in how the service handles operations, yielding full confidentiality, integrity, and availability impact. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows Application Model (the subsystem underlying UWP/packaged app lifecycle and activation) lets an authorized attacker with an existing low-privileged foothold gain SYSTEM-level control by triggering a use-after-free memory-corruption condition. All supported Windows client and server builds from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through Server 2025 are affected. This is a Microsoft-reported flaw with a vendor patch available; there is no public exploit identified at time of analysis and it is not on CISA KEV.
Local privilege escalation in the Microsoft Windows Resilient File System (ReFS) driver allows an authenticated attacker to run code with SYSTEM-level privileges by triggering a heap-based buffer overflow. The flaw (CVSS 7.8) affects a broad range of Windows 10, Windows 11, and Windows Server 2016-2025 builds and carries high confidentiality, integrity, and availability impact. It is a Microsoft-reported issue with a vendor patch available, and there is no public exploit identified at time of analysis.
Buffer over-read in Windows NTFS allows an authorized attacker to disclose information locally.
Local code execution in the Windows Media component of Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 allows an authenticated local attacker to run arbitrary code by triggering a heap-based buffer overflow. Successful exploitation yields high confidentiality, integrity, and availability impact within the current security context, and Microsoft has released a patch. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Remote code execution in Microsoft Windows GDI+ (gdiplus) lets an unauthenticated network attacker run arbitrary code when a victim opens or renders a specially crafted image, via a heap-based buffer overflow (CWE-122). The flaw affects a broad range of supported Windows client and server builds (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through 2025). It carries a critical CVSS 9.6 with a scope-changed impact, but requires user interaction and currently has no public exploit identified at time of analysis.