Microsoft
Monthly
Remote code execution in Microsoft Windows GDI+ (gdiplus) lets an unauthenticated network attacker run arbitrary code when a victim opens or renders a specially crafted image, via a heap-based buffer overflow (CWE-122). The flaw affects a broad range of supported Windows client and server builds (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through 2025). It carries a critical CVSS 9.6 with a scope-changed impact, but requires user interaction and currently has no public exploit identified at time of analysis.
Local privilege escalation in the Windows Audio Service (Windows 11 versions 24H2, 25H2, and 26H1) lets an authenticated low-privileged user win a race condition to elevate to SYSTEM-level privileges. The flaw is a concurrent-access synchronization defect (CWE-362) reported by Microsoft with a CVSS 3.1 base score of 7.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because Audio Service runs as a privileged host process on virtually every Windows 11 desktop, this is a broadly relevant patch-Tuesday-class EoP.
Local code execution in Microsoft Windows NTFS driver (heap-based buffer overflow, CWE-122) allows an attacker to run arbitrary code with the privileges of the exploited context. The flaw affects a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. CVSS 7.8 with high confidentiality, integrity, and availability impact; exploitation requires local access and user interaction, and there is no public exploit identified at time of analysis.
Local privilege escalation in the Windows Unified Consent System (UCS) lets an already-authenticated attacker exploit a use-after-free memory-corruption flaw (CWE-416) to gain higher privileges, potentially up to SYSTEM. It affects a broad range of current Windows client and server builds including Windows 10 21H2/22H2, Windows 11 24H2/25H2/26H1, and Windows Server 2025. Reported by Microsoft with a CVSS 3.1 base score of 7.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows TCP/IP stack lets a low-privileged authenticated user corrupt kernel memory via a use-after-free (CWE-416) and elevate to SYSTEM. It affects a broad range of Windows 10, Windows 11, and Windows Server builds through 2025, was reported by Microsoft, and carries CVSS 7.8; there is no public exploit identified at time of analysis and EPSS is low (0.20%, 10th percentile).
Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally.
Local code execution in Microsoft Windows NTFS arises from a heap-based buffer overflow (CWE-122) that an authorized, low-privileged local user can trigger to run arbitrary code and elevate to SYSTEM. The flaw spans a broad Windows footprint from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit identified at time of analysis, and the CVSS 3.1 base score is 7.8 (High).
Local privilege escalation in Windows App Installer (the MSIX/AppX package deployment component, msixbundle/App Installer) lets an already-authenticated low-privileged user overflow a stack buffer to gain higher privileges on affected Windows 10, Windows 11, and Windows Server builds. Microsoft self-reported the flaw and has shipped a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 7.8 (AV:L/PR:L) rating reflects a locally-launched attack with high confidentiality, integrity, and availability impact.
Local code execution in the Windows NTFS file system driver lets an unauthorized attacker run arbitrary code by tricking a user into interacting with specially crafted content, per Microsoft's MSRC advisory. The flaw is a heap-based buffer overflow (CWE-122) affecting a broad range of Windows releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit is identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and full-CIA impact make it a meaningful local code-execution risk.
Local privilege escalation in the Windows Notification component lets an already-authenticated low-privileged user elevate to higher privileges (SYSTEM) across a broad range of Windows 10, Windows 11, and Windows Server releases. The flaw stems from an incorrect type conversion/cast (CWE-704) and carries a CVSS 7.8 (AV:L/AC:L/PR:L/UI:N) with high confidentiality, integrity, and availability impact. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows NTFS file-system driver allows an authenticated attacker to run code with elevated (SYSTEM-level) privileges by triggering a stack-based buffer overflow (CWE-121). The flaw was reported by Microsoft and affects a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.8 (High).
Local privilege escalation in Microsoft Windows Kernel-Mode Drivers lets an already-authenticated, low-privileged user corrupt kernel memory to gain SYSTEM-level control. Affected builds include Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, including Server Core. Microsoft has shipped a patch; there is no public exploit identified at time of analysis, and it is not on the CISA KEV list.
Privilege escalation in Microsoft Windows SMB Server allows an already-authenticated network attacker to elevate to higher privileges by abusing a flawed authentication algorithm, yielding high confidentiality, integrity, and availability impact. The flaw affects Windows 10 (21H2/22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2022/2025 including Server Core. Reported by Microsoft with a patch available; no public exploit identified at time of analysis.
Local privilege elevation in the Microsoft Windows TCP/IP networking stack lets an already-authenticated, low-privileged user corrupt kernel memory via a use-after-free (CWE-416) and gain SYSTEM-level control. The flaw affects a broad range of client and server SKUs from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025, including Server Core installations. Microsoft reported the issue and has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Denial of service in Microsoft Windows Server Update Services (WSUS) lets a remote, unauthenticated attacker crash or disrupt the update service by triggering an uncaught exception over the network. The flaw affects WSUS across Windows Server 2012 through 2025 (plus Windows 10 1607/1809 servicing components), and the CVSS 3.1 availability-only vector (A:H) indicates service unavailability rather than data compromise. No public exploit identified at time of analysis, but a vendor patch is available and the flaw is network-reachable without authentication.
Local privilege escalation in Windows Secure Kernel Mode (VBS/Isolated User Mode trust boundary) affects Windows 11 24H2/25H2/26H1 and Windows Server 2025, where a use-after-free (CWE-416) lets an already-authenticated local attacker gain elevated privileges. Microsoft rates it 7.0 (High) with a local, high-complexity vector requiring low privileges and no user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation would require winning a memory-corruption race after already having a foothold.
Local privilege escalation in the Windows Push Notifications component (WNS/WpnService) lets an already-authenticated low-privileged user overwrite adjacent heap memory to gain SYSTEM-level control across Windows 10 (1607-22H2), Windows 11 (24H2-26H1), and Windows Server 2012 R2 through 2025. Microsoft reported the flaw and has shipped a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The high CVSS 7.8 reflects full confidentiality, integrity, and availability impact once triggered, but exploitation requires prior local access.
Local privilege escalation in the Microsoft Windows Kernel allows an already-authenticated attacker to gain SYSTEM-level control by exploiting a use-after-free (CWE-416) memory corruption condition. The flaw affects a broad range of supported Windows client and server releases (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019 through 2025) and, per the CVSS 7.8 vector, yields full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; Microsoft has released a patch.
Local privilege escalation in the Microsoft Brokering File System affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a use-after-free (CWE-416) memory-corruption flaw lets an already-authenticated local user execute code with elevated (typically SYSTEM) privileges. Microsoft has released a patch and reported the issue itself; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 3.1 base score is 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting a locally-exploitable but high-impact elevation path.
Local privilege escalation in the Windows Redirected Drive Buffering Subsystem (RDBSS) lets an authenticated low-privileged attacker read memory beyond an allocated buffer to elevate to higher privileges. The flaw affects a broad range of currently-supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, Windows Server 2012 through Server 2025) and carries a CVSS 7.0 (High) rating. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation in the Windows Kernel lets a low-privileged, authenticated attacker gain SYSTEM-level control by triggering a heap-based buffer overflow (CWE-122). The flaw spans a broad platform range from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025, and was reported internally by Microsoft. No public exploit is identified at time of analysis and it is not in CISA KEV, but the ubiquity of the affected component plus full high impact on confidentiality, integrity, and availability make it a meaningful patch priority.
Improper certificate validation in Windows Cryptographic Services allows an unauthorized attacker to bypass a security feature over a network.
Local privilege escalation in Windows Server Backup (WBADMIN component shipped with Windows 10 21H2/22H2 and Windows 11 24H2/25H2/26H1) lets an authorized, low-privileged user abuse a symbolic-link/junction race so that a backup operation acts on an attacker-chosen path, yielding SYSTEM-level access. Microsoft has released a patch and reported the flaw itself; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Successful exploitation requires local access plus user interaction, which lowers the realistic threat relative to the 7.3 base score.
Use of a cryptographic primitive with a risky implementation in Windows Key Guard allows an authorized attacker to bypass a security feature locally.
Integer underflow in the Windows Kernel enables a locally authenticated attacker to disclose sensitive kernel memory contents across a broad range of Windows 10, Windows 11, and Windows Server platforms. The CVSS vector (AV:L/AC:L/PR:L/UI:N) confirms that any low-privilege local user can trigger the flaw without special configuration or user interaction, yielding high confidentiality impact with no integrity or availability consequences. Microsoft has released a patch via the July 2026 Security Update Guide; no public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Exposure of sensitive information to an unauthorized actor in Windows Trusted Runtime Interface Driver allows an authorized attacker to disclose information locally.
Improper privilege management in Microsoft Windows DNS allows an authorized attacker to bypass a security feature locally.
Local privilege escalation in the Windows Clip Service (clipboard/cloud clipboard component, cbdhsvc) affects a broad range of Windows 10, Windows 11, and Windows Server 2019-2025 builds, where a race condition in concurrent access to a shared resource lets an already-authenticated local attacker win a timing window to gain higher privileges. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Note a source conflict: the description and CWE describe privilege elevation with high confidentiality/integrity/availability impact, while the intelligence tags label it 'Information Disclosure' - treat the primary impact as local EoP per the CVSS vector.
Local privilege escalation in the Microsoft Windows App Store (AppX/package deployment component) allows an authorized, low-privileged user to win a race condition and gain higher privileges on affected Windows client and server builds spanning Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Exploitation requires local access and already-held low privileges, and the high attack complexity reflects the timing precision needed to win the race. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a patch.
Privilege escalation in the Windows Win32K kernel-mode subsystem lets an already-authenticated local user gain SYSTEM-level control across a broad range of Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through Server 2025). Rooted in improper access control (CWE-284), successful exploitation yields full confidentiality, integrity, and availability impact on the host. There is no public exploit identified at time of analysis and the CVSS vector's high attack complexity (AC:H) tempers the practical risk.
Local privilege escalation in the Windows Win32K kernel-mode subsystem allows an already-authenticated, low-privileged user to elevate to SYSTEM through improper access control (CWE-284). Affected builds span Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. No public exploit identified at time of analysis, and it is not listed in CISA KEV; Microsoft has released a patch.
Local privilege escalation in the Windows Kernel lets an already-authenticated, low-privileged user corrupt kernel memory via a use-after-free (CWE-416) and gain higher privileges on the host. The flaw affects a broad range of currently-supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025); Microsoft has shipped a fix. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Insertion of sensitive information into log file in Windows Kernel allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows taskbar (Internal Task Bar component) allows an authenticated attacker to elevate to higher privileges by exploiting a use-after-free memory corruption flaw. The issue affects a broad range of current Windows client and server builds (Windows 10 21H2/22H2, Windows 11 24H2/25H2/26H1, and Windows Server 2025), was reported by Microsoft itself, and is fixed via a vendor patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Kernel affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a race condition (CWE-362) in the synchronization of a shared kernel resource lets an authenticated low-privileged local user win a timing window to gain higher privileges. The CVSS 3.1 score is 7.8 with a scope-changed vector, the flaw was reported by Microsoft, and a patch is available. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Integer overflow or wraparound in Windows Spaceport.sys allows an unauthorized attacker to elevate privileges with a physical attack.
Local privilege escalation in the Windows MIDI Service Module on Windows 11 (versions 24H2, 25H2, and 26H1) lets an already-authenticated local user gain elevated privileges by abusing improper access control (CWE-284). Because the CVSS scope is changed (S:C), a successful attack breaks out of the service's context to compromise confidentiality, integrity, and availability of the broader system, effectively yielding SYSTEM-level control. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Exposure of sensitive information to an unauthorized actor in Windows DirectX allows an unauthorized attacker to disclose information locally.
Local privilege escalation in the Windows Audio Compression Manager (ACM) allows a low-privileged authenticated user to elevate to higher privileges (CVSS 7.8, CWE-284 improper access control). It affects a broad Windows fleet spanning Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Microsoft Windows Resilient File System (ReFS) allows an authenticated low-privileged user to gain elevated (SYSTEM-level) privileges by triggering a stack-based buffer overflow (CWE-121) in the ReFS driver. The flaw affects a broad range of Windows client and server releases, from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in Windows Runtime (WinRT) on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 allows an authenticated local user to gain higher privileges by exploiting a use-after-free memory-corruption flaw (CWE-416). Successful exploitation yields high confidentiality, integrity, and availability impact, effectively enabling escalation to SYSTEM-level control on the host. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; the elevated attack complexity (AC:H) indicates exploitation requires winning a race or meeting specific timing/heap conditions.
Local privilege escalation in the Windows AppX Deployment Service (AppXSvc) lets an already-authenticated, low-privileged user win a race condition to elevate to higher privileges across a broad range of Windows client and server builds (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through 2025). The flaw stems from improper synchronization of a shared resource, and successful exploitation yields full confidentiality, integrity, and availability impact on the host. It is reported by Microsoft with a vendor patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Win32K kernel-mode subsystem allows an already-authenticated low-privileged user to elevate to SYSTEM through an improper access-control flaw. The issue affects a broad range of Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Local privilege escalation in the Windows USB Print Driver affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a race condition (improper synchronization of a shared resource) lets an already-authenticated local user win a timing window to execute code at elevated privilege. Reported by Microsoft with a patch available; no public exploit identified at time of analysis and it is not on CISA KEV. The high CVSS attack complexity (AC:H) reflects that the attacker must reliably win a narrow race, which tempers real-world exploitability.
Local privilege escalation in the Windows USB Print Driver on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 allows an already-authenticated local user to win a timing race and elevate to SYSTEM-level privileges. The flaw is a race condition (CWE-362) reported by Microsoft; a vendor patch is available, and there is no public exploit identified at time of analysis. Exploitation is constrained by high attack complexity (winning the race window) but yields full confidentiality, integrity, and availability impact once achieved.
Use of uninitialized resource in Windows SMB allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Spaceport.sys Storage Spaces driver lets an already-authenticated low-privileged user gain SYSTEM-level control across Windows 10, Windows 11, and Windows Server 2016 through 2025. The flaw stems from a missing authentication check on a critical driver function (CWE-306), and Microsoft has released a patch; no public exploit has been identified at time of analysis. With CVSS 7.8 (local, low-privilege) and full confidentiality, integrity, and availability impact, it is a strong candidate for chaining after an initial foothold.
Exposure of sensitive system information to an unauthorized control sphere in Windows Kernel allows an unauthorized attacker to disclose information locally.
Heap-based buffer overflow in Windows USB Video Driver allows an unauthorized attacker to elevate privileges with a physical attack.
Elevation of privilege in Microsoft Windows (Server 2012 through 2025 and Windows 10/11 clients) lets a low-privileged local user gain SYSTEM-level rights by abusing an improper access control (CWE-284) weakness. The flaw was reported by Microsoft with a patch available, and CVSS 3.1 rates it 7.8 (High) with local vector and low privileges required. No public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a patch-worthy but not emergency issue absent evidence of active exploitation.
Local code execution in the Microsoft Windows NTFS file-system driver lets an attacker run arbitrary code by inducing a victim to interact with a specially crafted NTFS artifact (e.g., a malicious volume, VHD, or file). The flaw stems from an integer underflow (CWE-191) and spans a broad range of Windows client and server builds from Windows Server 2012 through Windows Server 2025 and Windows 10/11. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Uncontrolled resource consumption in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to deny service over a network.
Local privilege escalation in the Windows Web Proxy Auto-Discovery Protocol (WPAD) component lets an already-authenticated local user run code with SYSTEM-level rights by triggering an integer overflow (CWE-190). The flaw affects a broad range of Windows client and server builds, from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and high triad impact make it a meaningful patch-tier issue.
Integer overflow or wraparound in Windows Storage Spaces Direct allows an unauthorized attacker to execute code with a physical attack.
Local privilege escalation in the Microsoft Windows Kernel allows an unauthorized attacker to gain elevated (SYSTEM-level) privileges by triggering a use-after-free condition (CWE-416) in kernel memory. The flaw affects a broad range of supported Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local code execution in the Windows NTFS driver (CVE-2026-49797) allows an attacker with local access to run arbitrary code by tricking a user into interacting with a maliciously crafted NTFS artifact, exploiting a heap-based buffer overflow (CWE-122). The flaw affects a broad range of Windows client and server releases from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. Microsoft has released a patch; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Kernel lets an already-authenticated attacker corrupt kernel memory via a use-after-free (CWE-416) and gain full control of the host. The CVSS 3.1 vector (AV:L/PR:L, scope-changed with C:H/I:H/A:H) reflects a low-privileged local user escalating to SYSTEM-level compromise across a broad range of Windows 10, Windows 11, and Windows Server builds. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a patch.
Local code execution in Windows GDI+ (the Graphics Device Interface Plus rendering component) affects a broad range of Microsoft Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. An attacker who convinces a user to open or preview a specially crafted image or document triggers a heap-based buffer overflow (CWE-122) during graphics parsing, yielding arbitrary code execution in the context of the current user. The CVSS 3.1 base score is 7.8 (AV:L/AC:L/PR:N/UI:R); there is no public exploit identified at time of analysis and it is not listed in CISA KEV, but GDI+ image-parsing flaws are historically attractive to attackers.
Out-of-bounds read in Windows USB Audio Class driver (usbaudio.sys) allows an unauthorized attacker to disclose information with a physical attack.
Local privilege escalation via arbitrary code execution in Microsoft Windows Resilient File System (ReFS) affects a broad range of Windows 10, Windows 11, and Windows Server (2016-2025) builds. An authorized (low-privileged) attacker who can trigger the vulnerable heap allocation path can corrupt heap memory (CWE-122) to run code in the security context of the ReFS driver, yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list.
Local code execution in Microsoft's Resilient File System (ReFS) driver allows an authorized (low-privileged) attacker to run arbitrary code with elevated context via a numeric truncation flaw. The bug affects the ReFS component shipped with Windows 10, Windows 11, and Windows Server 2016 through 2025. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; note that the CVE's own tags label it 'Information Disclosure' while the description and CVSS impact (C:H/I:H/A:H) describe full code execution - the code-execution reading should be treated as authoritative.
Local privilege escalation in Microsoft Windows Routing and Remote Access Service (RRAS) allows an already-authenticated low-privileged user to abuse a link-following (symlink/junction) flaw to gain higher privileges on the host. The bug affects a broad range of client and server SKUs from Windows Server 2012 through Windows Server 2025 and Windows 10 1607 through Windows 11 26H1, and Microsoft has shipped a fix. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Elevation of privilege in the Windows Universal Disk Format File System driver (UDFS.sys) lets a low-privileged local user gain elevated (kernel/SYSTEM) rights after the victim mounts or opens a maliciously crafted UDF volume. The flaw stems from an integer arithmetic error (CWE-191) in the driver that parses UDF-formatted media such as ISO images, optical discs, and virtual disk files, and affects a broad range of Windows client and server releases from Windows Server 2012 and Windows 10 1607 through Windows 11 26H1 and Windows Server 2025. Microsoft reported the issue and has shipped a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Microsoft Windows NTFS driver allows an already-authenticated, low-privileged user to gain elevated (likely SYSTEM) privileges by triggering a stack-based buffer overflow, contingent on user interaction. The flaw spans a broad range of supported Windows client and server releases, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. Microsoft has issued a patch and reported the issue itself; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Denial of service in Microsoft Windows HTTP.sys allows remote unauthenticated attackers to exhaust system resources and make affected hosts unresponsive over the network. The flaw stems from missing resource limits/throttling (CWE-770) in the kernel-mode HTTP protocol stack, affecting a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch is available via MSRC.
Security feature bypass in Windows Secure Boot (CWE-358) allows a locally authenticated attacker on affected Windows 10, Windows 11, and Windows Server (2016 through 2025) systems to defeat the boot-integrity trust chain due to an improperly implemented standard security check. Because Secure Boot is the gate that blocks unsigned/tampered bootloaders and rootkits, a successful bypass can enable pre-OS persistence and undermine downstream protections such as BitLocker and Measured Boot. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV; Microsoft has published a patch via its update guide.
Local privilege escalation in the Windows Clipboard Server (Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025) allows an already-authenticated low-privileged user to win a race condition and gain higher privileges on the host. Microsoft credits its own researchers and has shipped a fix; there is no public exploit identified at time of analysis and the CVSS base score is 7.0 (High). The high attack complexity reflects the timing precision needed to exploit the race, which meaningfully limits reliable weaponization.
Local code execution in Microsoft Windows NTFS (New Technology File System) stems from a heap-based buffer overflow (CWE-122) that lets a local attacker run arbitrary code with high confidentiality, integrity, and availability impact. The flaw affects a broad range of Windows client and server builds - from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025 - and Microsoft has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but NTFS's role as the default Windows filesystem makes the exposed surface extremely wide.
Information disclosure (and vendor-labeled privilege elevation) in the Windows DHCP Client affects Windows 10 (1607/1809), Windows Server 2012 through 2025, and their Server Core installations via an integer underflow (CWE-191) reachable over the network. A remote attacker positioned to answer DHCP traffic can craft malformed responses that wrap a length/counter calculation, with a CVSS 3.1 base of 7.5 (confidentiality impact only per the published vector). No public exploit is identified at time of analysis and it is not listed in CISA KEV, but Microsoft ships a patch.
Local privilege escalation in Microsoft Surface devices (Go, Hub, Laptop Go/Go 3, Pro/Pro 8, Laptop 4 AMD/Intel, Windows Dev Kit) allows an authenticated low-privileged user to gain higher privileges through insufficiently granular access control (CWE-1220) in the device firmware/platform layer. The flaw carries a CVSS 7.8 (High) with full confidentiality, integrity, and availability impact once exploited, but requires prior local access. No public exploit identified at time of analysis, and it is not listed in CISA KEV; Microsoft has released a fix via MSRC.
Remote code execution in the Microsoft Windows DHCP Server role allows an authenticated network attacker (PR:L) to trigger a heap-based buffer overflow and run arbitrary code on the server. The flaw affects DHCP Server across Windows Server 2012 through Server 2025 (including Server Core installations) and carries a CVSS 8.8 with full confidentiality, integrity, and availability impact. Reported by Microsoft with a vendor patch available; no public exploit identified at time of analysis.
Privilege escalation in Microsoft's Azure Monitor Agent (specifically the Metrics Extension) lets an unauthenticated attacker on an adjacent network gain elevated privileges by exploiting improper TLS certificate validation (CWE-295). Because the agent fails to properly verify the certificate of the endpoint it communicates with, an attacker positioned on the same broadcast/logical network segment can impersonate a trusted server and hijack the agent's privileged context, yielding high confidentiality, integrity, and availability impact. Microsoft rates it CVSS 8.8; there is currently no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Push Notifications component (WPN) affects Windows 11 (23H2, 24H2, 25H2, 26H1) and Windows Server 2025 including Server Core, where a race condition (CWE-362) lets an authorized local user win a timing window on a shared resource to run code at a higher privilege level. Microsoft reported the issue and has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Note a signal conflict: the description and CVSS impact frame this as privilege elevation, while the vendor tags also list 'Information Disclosure' - the primary impact should be treated as EoP pending vendor clarification.
Denial of service in the Windows Local Security Authority Subsystem Service (LSASS) allows a remote, unauthenticated attacker to crash the service and disrupt authentication across all supported Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. The flaw stems from an excessive-size memory allocation (CWE-789) triggerable over the network with no privileges or user interaction, and while a vendor patch is available, there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is limited to availability (A:H) with no confidentiality or integrity loss, but LSASS failure can force system instability or reboots, affecting domain authentication and logon.
Denial of service in Windows Cryptographic Services affects a broad sweep of supported Microsoft platforms, from Windows 10 (1607) and Server 2012 through Windows 11 26H1 and Server 2025. A memory-leak flaw (CWE-401) lets a remote, unauthenticated attacker send network traffic that fails to release memory over time, degrading or exhausting the affected service until availability is impacted. There is no public exploit identified at time of analysis, exploitation is not yet observed (SSVC: none), and EPSS is low (0.78%), but a vendor patch is available and Automatable is 'yes', warranting prompt patching.
Windows Event Logging Service across a wide range of Windows 10, Windows 11, and Windows Server versions fails to enforce its intended protection mechanisms, permitting any authenticated low-privileged network user to read information that should be access-controlled. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms exploitation requires only a valid low-privilege account and network connectivity, with no user interaction and no elevated rights - making it a practical post-compromise lateral-movement or reconnaissance tool. No public exploit code has been identified and this CVE is not listed in CISA KEV at time of analysis, but the ubiquitous deployment footprint across the Windows ecosystem elevates organizational exposure.
Remote code execution in Windows PowerShell allows an authenticated attacker with low privileges to run arbitrary code across a network by exploiting a relative path traversal (CWE-23) flaw, provided a victim is induced to interact (UI:R). Affecting supported Windows 10/11 clients and Windows Server 2012 through 2025, the issue carries a CVSS 8.0 with full confidentiality, integrity, and availability impact, and a vendor patch is available via MSRC. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
Use of uninitialized resource in Windows File Explorer allows an authorized attacker to disclose information locally.
Windows Audio Service on multiple Windows desktop and server versions improperly exposes sensitive information to locally authenticated standard users, enabling information disclosure without requiring elevated privileges. Affecting Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 (with Server 2022 and 2025 referenced in tags), the flaw is exploitable post-foothold by any low-privileged local account, making it a realistic post-exploitation pivot rather than an initial access vector. No public exploit code has been identified at time of analysis, and a vendor-released patch is confirmed available via the Microsoft Security Response Center.
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
Denial of service in Microsoft Azure Active Directory (Entra ID) allows a remote unauthenticated attacker to send network traffic that drives affected processing into an infinite loop (CWE-835), exhausting resources and disrupting availability of the identity service. The flaw carries CVSS 7.5 with a high-availability impact, no confidentiality or integrity effect, and no public exploit identified at time of analysis. Microsoft has released a fix, which for this cloud-hosted service is applied server-side by the vendor.
Denial of service in Microsoft Azure Active Directory (now Entra ID) allows a remote, unauthenticated attacker to disrupt service availability by sending crafted serialized data that triggers unsafe deserialization (CWE-502). The flaw carries a CVSS 7.5 (High) with a fully network-reachable, no-privilege, no-interaction vector, but impact is confined to availability - confidentiality and integrity are not affected. Microsoft has released a fix via MSRC; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Server Subscription Edition) allows an unauthenticated network attacker to run arbitrary code on the server by submitting maliciously crafted serialized data (CWE-502). The CVSS 3.1 base score is 9.8 with a fully remote, no-interaction, no-privilege vector (AV:N/AC:L/PR:N/UI:N), placing it among the most severe SharePoint flaws. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but insecure-deserialization RCE in SharePoint has historically been a high-value target for rapid weaponization.
Local privilege escalation via a heap-based buffer overflow in the Windows NTFS driver allows an authenticated attacker with low privileges to execute arbitrary code and gain full SYSTEM-level control. It affects a broad range of Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. No public exploit identified at time of analysis, and SSVC records no observed exploitation; EPSS is low at 0.29% (21st percentile).
Local privilege escalation in Microsoft Windows Narrator (the built-in screen reader) arises from improper neutralization of special elements in its Braille support component, allowing an already-authenticated local attacker (PR:L) to inject and execute OS commands that run with elevated privileges. All supported Windows client and server builds from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019-2025 are affected, and Microsoft has released a patch. There is no public exploit identified at time of analysis and the CVE is not in CISA KEV, so exploitation is not confirmed as active.
Local privilege-to-code-execution in Microsoft Windows Admin Center lets an already-authenticated, lower-privileged user abuse an improper authorization check (CWE-285) to run arbitrary code on the host where the management tool is installed. Rated CVSS 7.8 with high confidentiality, integrity, and availability impact, it requires local access and existing low-level privileges rather than remote unauthenticated reach. No public exploit identified at time of analysis, and it is not listed in CISA KEV, but Microsoft has released a fix via the MSRC update guide.
Local arbitrary code execution in Microsoft Excel arises from a heap-based buffer overflow (CWE-122) triggered when a user opens a maliciously crafted spreadsheet; successful exploitation runs attacker code in the context of the current user across desktop Office builds (Excel 2016, Office 2019, LTSC 2021/2024, Microsoft 365 Apps) on both Windows and Mac, as well as Office Online Server. The flaw carries CVSS 7.8 with high confidentiality, integrity, and availability impact but requires user interaction (opening the file). No public exploit identified at time of analysis, and it is not listed in CISA KEV; a vendor patch is available from Microsoft.
Out-of-bounds read in Windows Kernel allows an authorized attacker to bypass a security feature locally.
Local code execution in Microsoft Windows Media Foundation lets an attacker run arbitrary code in the context of the victim after luring them to open a maliciously crafted media file. The flaw (CVE-2026-58610, CWE-122 heap-based buffer overflow) affects a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. CVSS is 7.8 (AV:L/AC:L/PR:N/UI:R) with full confidentiality, integrity, and availability impact; there is no public exploit identified at time of analysis and it is not on CISA KEV.
Remote code execution in Microsoft Windows GDI+ (gdiplus) lets an unauthenticated network attacker run arbitrary code when a victim opens or renders a specially crafted image, via a heap-based buffer overflow (CWE-122). The flaw affects a broad range of supported Windows client and server builds (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through 2025). It carries a critical CVSS 9.6 with a scope-changed impact, but requires user interaction and currently has no public exploit identified at time of analysis.
Local privilege escalation in the Windows Audio Service (Windows 11 versions 24H2, 25H2, and 26H1) lets an authenticated low-privileged user win a race condition to elevate to SYSTEM-level privileges. The flaw is a concurrent-access synchronization defect (CWE-362) reported by Microsoft with a CVSS 3.1 base score of 7.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because Audio Service runs as a privileged host process on virtually every Windows 11 desktop, this is a broadly relevant patch-Tuesday-class EoP.
Local code execution in Microsoft Windows NTFS driver (heap-based buffer overflow, CWE-122) allows an attacker to run arbitrary code with the privileges of the exploited context. The flaw affects a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. CVSS 7.8 with high confidentiality, integrity, and availability impact; exploitation requires local access and user interaction, and there is no public exploit identified at time of analysis.
Local privilege escalation in the Windows Unified Consent System (UCS) lets an already-authenticated attacker exploit a use-after-free memory-corruption flaw (CWE-416) to gain higher privileges, potentially up to SYSTEM. It affects a broad range of current Windows client and server builds including Windows 10 21H2/22H2, Windows 11 24H2/25H2/26H1, and Windows Server 2025. Reported by Microsoft with a CVSS 3.1 base score of 7.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows TCP/IP stack lets a low-privileged authenticated user corrupt kernel memory via a use-after-free (CWE-416) and elevate to SYSTEM. It affects a broad range of Windows 10, Windows 11, and Windows Server builds through 2025, was reported by Microsoft, and carries CVSS 7.8; there is no public exploit identified at time of analysis and EPSS is low (0.20%, 10th percentile).
Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally.
Local code execution in Microsoft Windows NTFS arises from a heap-based buffer overflow (CWE-122) that an authorized, low-privileged local user can trigger to run arbitrary code and elevate to SYSTEM. The flaw spans a broad Windows footprint from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit identified at time of analysis, and the CVSS 3.1 base score is 7.8 (High).
Local privilege escalation in Windows App Installer (the MSIX/AppX package deployment component, msixbundle/App Installer) lets an already-authenticated low-privileged user overflow a stack buffer to gain higher privileges on affected Windows 10, Windows 11, and Windows Server builds. Microsoft self-reported the flaw and has shipped a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 7.8 (AV:L/PR:L) rating reflects a locally-launched attack with high confidentiality, integrity, and availability impact.
Local code execution in the Windows NTFS file system driver lets an unauthorized attacker run arbitrary code by tricking a user into interacting with specially crafted content, per Microsoft's MSRC advisory. The flaw is a heap-based buffer overflow (CWE-122) affecting a broad range of Windows releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit is identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and full-CIA impact make it a meaningful local code-execution risk.
Local privilege escalation in the Windows Notification component lets an already-authenticated low-privileged user elevate to higher privileges (SYSTEM) across a broad range of Windows 10, Windows 11, and Windows Server releases. The flaw stems from an incorrect type conversion/cast (CWE-704) and carries a CVSS 7.8 (AV:L/AC:L/PR:L/UI:N) with high confidentiality, integrity, and availability impact. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows NTFS file-system driver allows an authenticated attacker to run code with elevated (SYSTEM-level) privileges by triggering a stack-based buffer overflow (CWE-121). The flaw was reported by Microsoft and affects a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.8 (High).
Local privilege escalation in Microsoft Windows Kernel-Mode Drivers lets an already-authenticated, low-privileged user corrupt kernel memory to gain SYSTEM-level control. Affected builds include Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, including Server Core. Microsoft has shipped a patch; there is no public exploit identified at time of analysis, and it is not on the CISA KEV list.
Privilege escalation in Microsoft Windows SMB Server allows an already-authenticated network attacker to elevate to higher privileges by abusing a flawed authentication algorithm, yielding high confidentiality, integrity, and availability impact. The flaw affects Windows 10 (21H2/22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2022/2025 including Server Core. Reported by Microsoft with a patch available; no public exploit identified at time of analysis.
Local privilege elevation in the Microsoft Windows TCP/IP networking stack lets an already-authenticated, low-privileged user corrupt kernel memory via a use-after-free (CWE-416) and gain SYSTEM-level control. The flaw affects a broad range of client and server SKUs from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025, including Server Core installations. Microsoft reported the issue and has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Denial of service in Microsoft Windows Server Update Services (WSUS) lets a remote, unauthenticated attacker crash or disrupt the update service by triggering an uncaught exception over the network. The flaw affects WSUS across Windows Server 2012 through 2025 (plus Windows 10 1607/1809 servicing components), and the CVSS 3.1 availability-only vector (A:H) indicates service unavailability rather than data compromise. No public exploit identified at time of analysis, but a vendor patch is available and the flaw is network-reachable without authentication.
Local privilege escalation in Windows Secure Kernel Mode (VBS/Isolated User Mode trust boundary) affects Windows 11 24H2/25H2/26H1 and Windows Server 2025, where a use-after-free (CWE-416) lets an already-authenticated local attacker gain elevated privileges. Microsoft rates it 7.0 (High) with a local, high-complexity vector requiring low privileges and no user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation would require winning a memory-corruption race after already having a foothold.
Local privilege escalation in the Windows Push Notifications component (WNS/WpnService) lets an already-authenticated low-privileged user overwrite adjacent heap memory to gain SYSTEM-level control across Windows 10 (1607-22H2), Windows 11 (24H2-26H1), and Windows Server 2012 R2 through 2025. Microsoft reported the flaw and has shipped a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The high CVSS 7.8 reflects full confidentiality, integrity, and availability impact once triggered, but exploitation requires prior local access.
Local privilege escalation in the Microsoft Windows Kernel allows an already-authenticated attacker to gain SYSTEM-level control by exploiting a use-after-free (CWE-416) memory corruption condition. The flaw affects a broad range of supported Windows client and server releases (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019 through 2025) and, per the CVSS 7.8 vector, yields full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; Microsoft has released a patch.
Local privilege escalation in the Microsoft Brokering File System affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a use-after-free (CWE-416) memory-corruption flaw lets an already-authenticated local user execute code with elevated (typically SYSTEM) privileges. Microsoft has released a patch and reported the issue itself; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 3.1 base score is 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting a locally-exploitable but high-impact elevation path.
Local privilege escalation in the Windows Redirected Drive Buffering Subsystem (RDBSS) lets an authenticated low-privileged attacker read memory beyond an allocated buffer to elevate to higher privileges. The flaw affects a broad range of currently-supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, Windows Server 2012 through Server 2025) and carries a CVSS 7.0 (High) rating. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation in the Windows Kernel lets a low-privileged, authenticated attacker gain SYSTEM-level control by triggering a heap-based buffer overflow (CWE-122). The flaw spans a broad platform range from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025, and was reported internally by Microsoft. No public exploit is identified at time of analysis and it is not in CISA KEV, but the ubiquity of the affected component plus full high impact on confidentiality, integrity, and availability make it a meaningful patch priority.
Improper certificate validation in Windows Cryptographic Services allows an unauthorized attacker to bypass a security feature over a network.
Local privilege escalation in Windows Server Backup (WBADMIN component shipped with Windows 10 21H2/22H2 and Windows 11 24H2/25H2/26H1) lets an authorized, low-privileged user abuse a symbolic-link/junction race so that a backup operation acts on an attacker-chosen path, yielding SYSTEM-level access. Microsoft has released a patch and reported the flaw itself; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Successful exploitation requires local access plus user interaction, which lowers the realistic threat relative to the 7.3 base score.
Use of a cryptographic primitive with a risky implementation in Windows Key Guard allows an authorized attacker to bypass a security feature locally.
Integer underflow in the Windows Kernel enables a locally authenticated attacker to disclose sensitive kernel memory contents across a broad range of Windows 10, Windows 11, and Windows Server platforms. The CVSS vector (AV:L/AC:L/PR:L/UI:N) confirms that any low-privilege local user can trigger the flaw without special configuration or user interaction, yielding high confidentiality impact with no integrity or availability consequences. Microsoft has released a patch via the July 2026 Security Update Guide; no public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Exposure of sensitive information to an unauthorized actor in Windows Trusted Runtime Interface Driver allows an authorized attacker to disclose information locally.
Improper privilege management in Microsoft Windows DNS allows an authorized attacker to bypass a security feature locally.
Local privilege escalation in the Windows Clip Service (clipboard/cloud clipboard component, cbdhsvc) affects a broad range of Windows 10, Windows 11, and Windows Server 2019-2025 builds, where a race condition in concurrent access to a shared resource lets an already-authenticated local attacker win a timing window to gain higher privileges. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Note a source conflict: the description and CWE describe privilege elevation with high confidentiality/integrity/availability impact, while the intelligence tags label it 'Information Disclosure' - treat the primary impact as local EoP per the CVSS vector.
Local privilege escalation in the Microsoft Windows App Store (AppX/package deployment component) allows an authorized, low-privileged user to win a race condition and gain higher privileges on affected Windows client and server builds spanning Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Exploitation requires local access and already-held low privileges, and the high attack complexity reflects the timing precision needed to win the race. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a patch.
Privilege escalation in the Windows Win32K kernel-mode subsystem lets an already-authenticated local user gain SYSTEM-level control across a broad range of Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through Server 2025). Rooted in improper access control (CWE-284), successful exploitation yields full confidentiality, integrity, and availability impact on the host. There is no public exploit identified at time of analysis and the CVSS vector's high attack complexity (AC:H) tempers the practical risk.
Local privilege escalation in the Windows Win32K kernel-mode subsystem allows an already-authenticated, low-privileged user to elevate to SYSTEM through improper access control (CWE-284). Affected builds span Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. No public exploit identified at time of analysis, and it is not listed in CISA KEV; Microsoft has released a patch.
Local privilege escalation in the Windows Kernel lets an already-authenticated, low-privileged user corrupt kernel memory via a use-after-free (CWE-416) and gain higher privileges on the host. The flaw affects a broad range of currently-supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025); Microsoft has shipped a fix. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Insertion of sensitive information into log file in Windows Kernel allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows taskbar (Internal Task Bar component) allows an authenticated attacker to elevate to higher privileges by exploiting a use-after-free memory corruption flaw. The issue affects a broad range of current Windows client and server builds (Windows 10 21H2/22H2, Windows 11 24H2/25H2/26H1, and Windows Server 2025), was reported by Microsoft itself, and is fixed via a vendor patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Kernel affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a race condition (CWE-362) in the synchronization of a shared kernel resource lets an authenticated low-privileged local user win a timing window to gain higher privileges. The CVSS 3.1 score is 7.8 with a scope-changed vector, the flaw was reported by Microsoft, and a patch is available. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Integer overflow or wraparound in Windows Spaceport.sys allows an unauthorized attacker to elevate privileges with a physical attack.
Local privilege escalation in the Windows MIDI Service Module on Windows 11 (versions 24H2, 25H2, and 26H1) lets an already-authenticated local user gain elevated privileges by abusing improper access control (CWE-284). Because the CVSS scope is changed (S:C), a successful attack breaks out of the service's context to compromise confidentiality, integrity, and availability of the broader system, effectively yielding SYSTEM-level control. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Exposure of sensitive information to an unauthorized actor in Windows DirectX allows an unauthorized attacker to disclose information locally.
Local privilege escalation in the Windows Audio Compression Manager (ACM) allows a low-privileged authenticated user to elevate to higher privileges (CVSS 7.8, CWE-284 improper access control). It affects a broad Windows fleet spanning Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Microsoft Windows Resilient File System (ReFS) allows an authenticated low-privileged user to gain elevated (SYSTEM-level) privileges by triggering a stack-based buffer overflow (CWE-121) in the ReFS driver. The flaw affects a broad range of Windows client and server releases, from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in Windows Runtime (WinRT) on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 allows an authenticated local user to gain higher privileges by exploiting a use-after-free memory-corruption flaw (CWE-416). Successful exploitation yields high confidentiality, integrity, and availability impact, effectively enabling escalation to SYSTEM-level control on the host. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; the elevated attack complexity (AC:H) indicates exploitation requires winning a race or meeting specific timing/heap conditions.
Local privilege escalation in the Windows AppX Deployment Service (AppXSvc) lets an already-authenticated, low-privileged user win a race condition to elevate to higher privileges across a broad range of Windows client and server builds (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through 2025). The flaw stems from improper synchronization of a shared resource, and successful exploitation yields full confidentiality, integrity, and availability impact on the host. It is reported by Microsoft with a vendor patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Win32K kernel-mode subsystem allows an already-authenticated low-privileged user to elevate to SYSTEM through an improper access-control flaw. The issue affects a broad range of Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Local privilege escalation in the Windows USB Print Driver affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a race condition (improper synchronization of a shared resource) lets an already-authenticated local user win a timing window to execute code at elevated privilege. Reported by Microsoft with a patch available; no public exploit identified at time of analysis and it is not on CISA KEV. The high CVSS attack complexity (AC:H) reflects that the attacker must reliably win a narrow race, which tempers real-world exploitability.
Local privilege escalation in the Windows USB Print Driver on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 allows an already-authenticated local user to win a timing race and elevate to SYSTEM-level privileges. The flaw is a race condition (CWE-362) reported by Microsoft; a vendor patch is available, and there is no public exploit identified at time of analysis. Exploitation is constrained by high attack complexity (winning the race window) but yields full confidentiality, integrity, and availability impact once achieved.
Use of uninitialized resource in Windows SMB allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Spaceport.sys Storage Spaces driver lets an already-authenticated low-privileged user gain SYSTEM-level control across Windows 10, Windows 11, and Windows Server 2016 through 2025. The flaw stems from a missing authentication check on a critical driver function (CWE-306), and Microsoft has released a patch; no public exploit has been identified at time of analysis. With CVSS 7.8 (local, low-privilege) and full confidentiality, integrity, and availability impact, it is a strong candidate for chaining after an initial foothold.
Exposure of sensitive system information to an unauthorized control sphere in Windows Kernel allows an unauthorized attacker to disclose information locally.
Heap-based buffer overflow in Windows USB Video Driver allows an unauthorized attacker to elevate privileges with a physical attack.
Elevation of privilege in Microsoft Windows (Server 2012 through 2025 and Windows 10/11 clients) lets a low-privileged local user gain SYSTEM-level rights by abusing an improper access control (CWE-284) weakness. The flaw was reported by Microsoft with a patch available, and CVSS 3.1 rates it 7.8 (High) with local vector and low privileges required. No public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a patch-worthy but not emergency issue absent evidence of active exploitation.
Local code execution in the Microsoft Windows NTFS file-system driver lets an attacker run arbitrary code by inducing a victim to interact with a specially crafted NTFS artifact (e.g., a malicious volume, VHD, or file). The flaw stems from an integer underflow (CWE-191) and spans a broad range of Windows client and server builds from Windows Server 2012 through Windows Server 2025 and Windows 10/11. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Uncontrolled resource consumption in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to deny service over a network.
Local privilege escalation in the Windows Web Proxy Auto-Discovery Protocol (WPAD) component lets an already-authenticated local user run code with SYSTEM-level rights by triggering an integer overflow (CWE-190). The flaw affects a broad range of Windows client and server builds, from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and high triad impact make it a meaningful patch-tier issue.
Integer overflow or wraparound in Windows Storage Spaces Direct allows an unauthorized attacker to execute code with a physical attack.
Local privilege escalation in the Microsoft Windows Kernel allows an unauthorized attacker to gain elevated (SYSTEM-level) privileges by triggering a use-after-free condition (CWE-416) in kernel memory. The flaw affects a broad range of supported Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local code execution in the Windows NTFS driver (CVE-2026-49797) allows an attacker with local access to run arbitrary code by tricking a user into interacting with a maliciously crafted NTFS artifact, exploiting a heap-based buffer overflow (CWE-122). The flaw affects a broad range of Windows client and server releases from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. Microsoft has released a patch; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Kernel lets an already-authenticated attacker corrupt kernel memory via a use-after-free (CWE-416) and gain full control of the host. The CVSS 3.1 vector (AV:L/PR:L, scope-changed with C:H/I:H/A:H) reflects a low-privileged local user escalating to SYSTEM-level compromise across a broad range of Windows 10, Windows 11, and Windows Server builds. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a patch.
Local code execution in Windows GDI+ (the Graphics Device Interface Plus rendering component) affects a broad range of Microsoft Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. An attacker who convinces a user to open or preview a specially crafted image or document triggers a heap-based buffer overflow (CWE-122) during graphics parsing, yielding arbitrary code execution in the context of the current user. The CVSS 3.1 base score is 7.8 (AV:L/AC:L/PR:N/UI:R); there is no public exploit identified at time of analysis and it is not listed in CISA KEV, but GDI+ image-parsing flaws are historically attractive to attackers.
Out-of-bounds read in Windows USB Audio Class driver (usbaudio.sys) allows an unauthorized attacker to disclose information with a physical attack.
Local privilege escalation via arbitrary code execution in Microsoft Windows Resilient File System (ReFS) affects a broad range of Windows 10, Windows 11, and Windows Server (2016-2025) builds. An authorized (low-privileged) attacker who can trigger the vulnerable heap allocation path can corrupt heap memory (CWE-122) to run code in the security context of the ReFS driver, yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list.
Local code execution in Microsoft's Resilient File System (ReFS) driver allows an authorized (low-privileged) attacker to run arbitrary code with elevated context via a numeric truncation flaw. The bug affects the ReFS component shipped with Windows 10, Windows 11, and Windows Server 2016 through 2025. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; note that the CVE's own tags label it 'Information Disclosure' while the description and CVSS impact (C:H/I:H/A:H) describe full code execution - the code-execution reading should be treated as authoritative.
Local privilege escalation in Microsoft Windows Routing and Remote Access Service (RRAS) allows an already-authenticated low-privileged user to abuse a link-following (symlink/junction) flaw to gain higher privileges on the host. The bug affects a broad range of client and server SKUs from Windows Server 2012 through Windows Server 2025 and Windows 10 1607 through Windows 11 26H1, and Microsoft has shipped a fix. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Elevation of privilege in the Windows Universal Disk Format File System driver (UDFS.sys) lets a low-privileged local user gain elevated (kernel/SYSTEM) rights after the victim mounts or opens a maliciously crafted UDF volume. The flaw stems from an integer arithmetic error (CWE-191) in the driver that parses UDF-formatted media such as ISO images, optical discs, and virtual disk files, and affects a broad range of Windows client and server releases from Windows Server 2012 and Windows 10 1607 through Windows 11 26H1 and Windows Server 2025. Microsoft reported the issue and has shipped a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Microsoft Windows NTFS driver allows an already-authenticated, low-privileged user to gain elevated (likely SYSTEM) privileges by triggering a stack-based buffer overflow, contingent on user interaction. The flaw spans a broad range of supported Windows client and server releases, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. Microsoft has issued a patch and reported the issue itself; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Denial of service in Microsoft Windows HTTP.sys allows remote unauthenticated attackers to exhaust system resources and make affected hosts unresponsive over the network. The flaw stems from missing resource limits/throttling (CWE-770) in the kernel-mode HTTP protocol stack, affecting a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch is available via MSRC.
Security feature bypass in Windows Secure Boot (CWE-358) allows a locally authenticated attacker on affected Windows 10, Windows 11, and Windows Server (2016 through 2025) systems to defeat the boot-integrity trust chain due to an improperly implemented standard security check. Because Secure Boot is the gate that blocks unsigned/tampered bootloaders and rootkits, a successful bypass can enable pre-OS persistence and undermine downstream protections such as BitLocker and Measured Boot. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV; Microsoft has published a patch via its update guide.
Local privilege escalation in the Windows Clipboard Server (Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025) allows an already-authenticated low-privileged user to win a race condition and gain higher privileges on the host. Microsoft credits its own researchers and has shipped a fix; there is no public exploit identified at time of analysis and the CVSS base score is 7.0 (High). The high attack complexity reflects the timing precision needed to exploit the race, which meaningfully limits reliable weaponization.
Local code execution in Microsoft Windows NTFS (New Technology File System) stems from a heap-based buffer overflow (CWE-122) that lets a local attacker run arbitrary code with high confidentiality, integrity, and availability impact. The flaw affects a broad range of Windows client and server builds - from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025 - and Microsoft has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but NTFS's role as the default Windows filesystem makes the exposed surface extremely wide.
Information disclosure (and vendor-labeled privilege elevation) in the Windows DHCP Client affects Windows 10 (1607/1809), Windows Server 2012 through 2025, and their Server Core installations via an integer underflow (CWE-191) reachable over the network. A remote attacker positioned to answer DHCP traffic can craft malformed responses that wrap a length/counter calculation, with a CVSS 3.1 base of 7.5 (confidentiality impact only per the published vector). No public exploit is identified at time of analysis and it is not listed in CISA KEV, but Microsoft ships a patch.
Local privilege escalation in Microsoft Surface devices (Go, Hub, Laptop Go/Go 3, Pro/Pro 8, Laptop 4 AMD/Intel, Windows Dev Kit) allows an authenticated low-privileged user to gain higher privileges through insufficiently granular access control (CWE-1220) in the device firmware/platform layer. The flaw carries a CVSS 7.8 (High) with full confidentiality, integrity, and availability impact once exploited, but requires prior local access. No public exploit identified at time of analysis, and it is not listed in CISA KEV; Microsoft has released a fix via MSRC.
Remote code execution in the Microsoft Windows DHCP Server role allows an authenticated network attacker (PR:L) to trigger a heap-based buffer overflow and run arbitrary code on the server. The flaw affects DHCP Server across Windows Server 2012 through Server 2025 (including Server Core installations) and carries a CVSS 8.8 with full confidentiality, integrity, and availability impact. Reported by Microsoft with a vendor patch available; no public exploit identified at time of analysis.
Privilege escalation in Microsoft's Azure Monitor Agent (specifically the Metrics Extension) lets an unauthenticated attacker on an adjacent network gain elevated privileges by exploiting improper TLS certificate validation (CWE-295). Because the agent fails to properly verify the certificate of the endpoint it communicates with, an attacker positioned on the same broadcast/logical network segment can impersonate a trusted server and hijack the agent's privileged context, yielding high confidentiality, integrity, and availability impact. Microsoft rates it CVSS 8.8; there is currently no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Push Notifications component (WPN) affects Windows 11 (23H2, 24H2, 25H2, 26H1) and Windows Server 2025 including Server Core, where a race condition (CWE-362) lets an authorized local user win a timing window on a shared resource to run code at a higher privilege level. Microsoft reported the issue and has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Note a signal conflict: the description and CVSS impact frame this as privilege elevation, while the vendor tags also list 'Information Disclosure' - the primary impact should be treated as EoP pending vendor clarification.
Denial of service in the Windows Local Security Authority Subsystem Service (LSASS) allows a remote, unauthenticated attacker to crash the service and disrupt authentication across all supported Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. The flaw stems from an excessive-size memory allocation (CWE-789) triggerable over the network with no privileges or user interaction, and while a vendor patch is available, there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is limited to availability (A:H) with no confidentiality or integrity loss, but LSASS failure can force system instability or reboots, affecting domain authentication and logon.
Denial of service in Windows Cryptographic Services affects a broad sweep of supported Microsoft platforms, from Windows 10 (1607) and Server 2012 through Windows 11 26H1 and Server 2025. A memory-leak flaw (CWE-401) lets a remote, unauthenticated attacker send network traffic that fails to release memory over time, degrading or exhausting the affected service until availability is impacted. There is no public exploit identified at time of analysis, exploitation is not yet observed (SSVC: none), and EPSS is low (0.78%), but a vendor patch is available and Automatable is 'yes', warranting prompt patching.
Windows Event Logging Service across a wide range of Windows 10, Windows 11, and Windows Server versions fails to enforce its intended protection mechanisms, permitting any authenticated low-privileged network user to read information that should be access-controlled. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms exploitation requires only a valid low-privilege account and network connectivity, with no user interaction and no elevated rights - making it a practical post-compromise lateral-movement or reconnaissance tool. No public exploit code has been identified and this CVE is not listed in CISA KEV at time of analysis, but the ubiquitous deployment footprint across the Windows ecosystem elevates organizational exposure.
Remote code execution in Windows PowerShell allows an authenticated attacker with low privileges to run arbitrary code across a network by exploiting a relative path traversal (CWE-23) flaw, provided a victim is induced to interact (UI:R). Affecting supported Windows 10/11 clients and Windows Server 2012 through 2025, the issue carries a CVSS 8.0 with full confidentiality, integrity, and availability impact, and a vendor patch is available via MSRC. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
Use of uninitialized resource in Windows File Explorer allows an authorized attacker to disclose information locally.
Windows Audio Service on multiple Windows desktop and server versions improperly exposes sensitive information to locally authenticated standard users, enabling information disclosure without requiring elevated privileges. Affecting Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 (with Server 2022 and 2025 referenced in tags), the flaw is exploitable post-foothold by any low-privileged local account, making it a realistic post-exploitation pivot rather than an initial access vector. No public exploit code has been identified at time of analysis, and a vendor-released patch is confirmed available via the Microsoft Security Response Center.
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
Denial of service in Microsoft Azure Active Directory (Entra ID) allows a remote unauthenticated attacker to send network traffic that drives affected processing into an infinite loop (CWE-835), exhausting resources and disrupting availability of the identity service. The flaw carries CVSS 7.5 with a high-availability impact, no confidentiality or integrity effect, and no public exploit identified at time of analysis. Microsoft has released a fix, which for this cloud-hosted service is applied server-side by the vendor.
Denial of service in Microsoft Azure Active Directory (now Entra ID) allows a remote, unauthenticated attacker to disrupt service availability by sending crafted serialized data that triggers unsafe deserialization (CWE-502). The flaw carries a CVSS 7.5 (High) with a fully network-reachable, no-privilege, no-interaction vector, but impact is confined to availability - confidentiality and integrity are not affected. Microsoft has released a fix via MSRC; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Server Subscription Edition) allows an unauthenticated network attacker to run arbitrary code on the server by submitting maliciously crafted serialized data (CWE-502). The CVSS 3.1 base score is 9.8 with a fully remote, no-interaction, no-privilege vector (AV:N/AC:L/PR:N/UI:N), placing it among the most severe SharePoint flaws. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but insecure-deserialization RCE in SharePoint has historically been a high-value target for rapid weaponization.
Local privilege escalation via a heap-based buffer overflow in the Windows NTFS driver allows an authenticated attacker with low privileges to execute arbitrary code and gain full SYSTEM-level control. It affects a broad range of Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. No public exploit identified at time of analysis, and SSVC records no observed exploitation; EPSS is low at 0.29% (21st percentile).
Local privilege escalation in Microsoft Windows Narrator (the built-in screen reader) arises from improper neutralization of special elements in its Braille support component, allowing an already-authenticated local attacker (PR:L) to inject and execute OS commands that run with elevated privileges. All supported Windows client and server builds from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019-2025 are affected, and Microsoft has released a patch. There is no public exploit identified at time of analysis and the CVE is not in CISA KEV, so exploitation is not confirmed as active.
Local privilege-to-code-execution in Microsoft Windows Admin Center lets an already-authenticated, lower-privileged user abuse an improper authorization check (CWE-285) to run arbitrary code on the host where the management tool is installed. Rated CVSS 7.8 with high confidentiality, integrity, and availability impact, it requires local access and existing low-level privileges rather than remote unauthenticated reach. No public exploit identified at time of analysis, and it is not listed in CISA KEV, but Microsoft has released a fix via the MSRC update guide.
Local arbitrary code execution in Microsoft Excel arises from a heap-based buffer overflow (CWE-122) triggered when a user opens a maliciously crafted spreadsheet; successful exploitation runs attacker code in the context of the current user across desktop Office builds (Excel 2016, Office 2019, LTSC 2021/2024, Microsoft 365 Apps) on both Windows and Mac, as well as Office Online Server. The flaw carries CVSS 7.8 with high confidentiality, integrity, and availability impact but requires user interaction (opening the file). No public exploit identified at time of analysis, and it is not listed in CISA KEV; a vendor patch is available from Microsoft.
Out-of-bounds read in Windows Kernel allows an authorized attacker to bypass a security feature locally.
Local code execution in Microsoft Windows Media Foundation lets an attacker run arbitrary code in the context of the victim after luring them to open a maliciously crafted media file. The flaw (CVE-2026-58610, CWE-122 heap-based buffer overflow) affects a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. CVSS is 7.8 (AV:L/AC:L/PR:N/UI:R) with full confidentiality, integrity, and availability impact; there is no public exploit identified at time of analysis and it is not on CISA KEV.