Windows 10 Version 22H2
Monthly
Exposure of sensitive information to an unauthorized actor in Windows Push Notifications allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows Push Notifications allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Internal System User Profile component allows an already-authenticated attacker to gain elevated (SYSTEM-level) privileges by triggering a use-after-free memory corruption condition (CWE-416). The flaw affects Windows 10 (21H2/22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2025 including Server Core. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS 7.8 rating and full high impact on confidentiality, integrity, and availability make it a meaningful patch-cycle priority.
Local privilege escalation in the Microsoft Windows USB Driver (kernel-mode) lets an already-authenticated low-privileged user win a race condition (CWE-362) to elevate to SYSTEM. The flaw spans a broad Windows fleet from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit identified at time of analysis, and it is not listed in CISA KEV; a vendor patch is available from Microsoft.
Local code execution in Microsoft Windows arises from a heap-based buffer overflow in a Windows Data DLL, letting an attacker who can get a victim to open crafted content run arbitrary code with the victim's privileges. Affected builds span Windows 10 (1607 through 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2012 through 2025. Microsoft (the reporter) has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Microsoft Install Service (Windows Installer) affects supported Windows 10, Windows 11, and Windows Server 2019-2025 builds, letting an already-authenticated local user with limited rights (PR:L) elevate to SYSTEM. The flaw stems from improper privilege management (CWE-269) in how the service handles operations, yielding full confidentiality, integrity, and availability impact. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows Application Model (the subsystem underlying UWP/packaged app lifecycle and activation) lets an authorized attacker with an existing low-privileged foothold gain SYSTEM-level control by triggering a use-after-free memory-corruption condition. All supported Windows client and server builds from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through Server 2025 are affected. This is a Microsoft-reported flaw with a vendor patch available; there is no public exploit identified at time of analysis and it is not on CISA KEV.
Local privilege escalation in the Microsoft Windows Resilient File System (ReFS) driver allows an authenticated attacker to run code with SYSTEM-level privileges by triggering a heap-based buffer overflow. The flaw (CVSS 7.8) affects a broad range of Windows 10, Windows 11, and Windows Server 2016-2025 builds and carries high confidentiality, integrity, and availability impact. It is a Microsoft-reported issue with a vendor patch available, and there is no public exploit identified at time of analysis.
Buffer over-read in Windows NTFS allows an authorized attacker to disclose information locally.
Remote code execution in Microsoft Windows GDI+ (gdiplus) lets an unauthenticated network attacker run arbitrary code when a victim opens or renders a specially crafted image, via a heap-based buffer overflow (CWE-122). The flaw affects a broad range of supported Windows client and server builds (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through 2025). It carries a critical CVSS 9.6 with a scope-changed impact, but requires user interaction and currently has no public exploit identified at time of analysis.
Local code execution in Microsoft Windows NTFS driver (heap-based buffer overflow, CWE-122) allows an attacker to run arbitrary code with the privileges of the exploited context. The flaw affects a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. CVSS 7.8 with high confidentiality, integrity, and availability impact; exploitation requires local access and user interaction, and there is no public exploit identified at time of analysis.
Local privilege escalation in the Windows Unified Consent System (UCS) lets an already-authenticated attacker exploit a use-after-free memory-corruption flaw (CWE-416) to gain higher privileges, potentially up to SYSTEM. It affects a broad range of current Windows client and server builds including Windows 10 21H2/22H2, Windows 11 24H2/25H2/26H1, and Windows Server 2025. Reported by Microsoft with a CVSS 3.1 base score of 7.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Microsoft Windows TCP/IP stack allows an authenticated attacker to elevate to SYSTEM by exploiting a use-after-free (CWE-416) memory corruption flaw. Affected builds span Windows 10 (1809, 21H2, 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2019/2022/2025 including Server Core. No public exploit identified at time of analysis; Microsoft has released a patch, and the CVSS 7.0 score reflects high attack complexity (likely a race condition) that raises the exploitation bar.
Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally.
Local code execution in Microsoft Windows NTFS arises from a heap-based buffer overflow (CWE-122) that an authorized, low-privileged local user can trigger to run arbitrary code and elevate to SYSTEM. The flaw spans a broad Windows footprint from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit identified at time of analysis, and the CVSS 3.1 base score is 7.8 (High).
Local privilege escalation in Windows App Installer (the MSIX/AppX package deployment component, msixbundle/App Installer) lets an already-authenticated low-privileged user overflow a stack buffer to gain higher privileges on affected Windows 10, Windows 11, and Windows Server builds. Microsoft self-reported the flaw and has shipped a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 7.8 (AV:L/PR:L) rating reflects a locally-launched attack with high confidentiality, integrity, and availability impact.
Local code execution in the Windows NTFS file system driver lets an unauthorized attacker run arbitrary code by tricking a user into interacting with specially crafted content, per Microsoft's MSRC advisory. The flaw is a heap-based buffer overflow (CWE-122) affecting a broad range of Windows releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit is identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and full-CIA impact make it a meaningful local code-execution risk.
Local privilege escalation in the Windows Notification component lets an already-authenticated low-privileged user elevate to higher privileges (SYSTEM) across a broad range of Windows 10, Windows 11, and Windows Server releases. The flaw stems from an incorrect type conversion/cast (CWE-704) and carries a CVSS 7.8 (AV:L/AC:L/PR:L/UI:N) with high confidentiality, integrity, and availability impact. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows NTFS file-system driver allows an authenticated attacker to run code with elevated (SYSTEM-level) privileges by triggering a stack-based buffer overflow (CWE-121). The flaw was reported by Microsoft and affects a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.8 (High).
Privilege escalation in Microsoft Windows SMB Server allows an already-authenticated network attacker to elevate to higher privileges by abusing a flawed authentication algorithm, yielding high confidentiality, integrity, and availability impact. The flaw affects Windows 10 (21H2/22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2022/2025 including Server Core. Reported by Microsoft with a patch available; no public exploit identified at time of analysis.
Local privilege elevation in the Microsoft Windows TCP/IP networking stack lets an already-authenticated, low-privileged user corrupt kernel memory via a use-after-free (CWE-416) and gain SYSTEM-level control. The flaw affects a broad range of client and server SKUs from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025, including Server Core installations. Microsoft reported the issue and has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows Push Notifications component (WNS/WpnService) lets an already-authenticated low-privileged user overwrite adjacent heap memory to gain SYSTEM-level control across Windows 10 (1607-22H2), Windows 11 (24H2-26H1), and Windows Server 2012 R2 through 2025. Microsoft reported the flaw and has shipped a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The high CVSS 7.8 reflects full confidentiality, integrity, and availability impact once triggered, but exploitation requires prior local access.
Local privilege escalation in the Microsoft Windows Kernel allows an already-authenticated attacker to gain SYSTEM-level control by exploiting a use-after-free (CWE-416) memory corruption condition. The flaw affects a broad range of supported Windows client and server releases (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019 through 2025) and, per the CVSS 7.8 vector, yields full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; Microsoft has released a patch.
Local privilege escalation in the Windows Redirected Drive Buffering Subsystem (RDBSS) lets an authenticated low-privileged attacker read memory beyond an allocated buffer to elevate to higher privileges. The flaw affects a broad range of currently-supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, Windows Server 2012 through Server 2025) and carries a CVSS 7.0 (High) rating. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation in the Windows Kernel lets a low-privileged, authenticated attacker gain SYSTEM-level control by triggering a heap-based buffer overflow (CWE-122). The flaw spans a broad platform range from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025, and was reported internally by Microsoft. No public exploit is identified at time of analysis and it is not in CISA KEV, but the ubiquity of the affected component plus full high impact on confidentiality, integrity, and availability make it a meaningful patch priority.
Improper certificate validation in Windows Cryptographic Services allows an unauthorized attacker to bypass a security feature over a network.
Local privilege escalation in Windows Server Backup (WBADMIN component shipped with Windows 10 21H2/22H2 and Windows 11 24H2/25H2/26H1) lets an authorized, low-privileged user abuse a symbolic-link/junction race so that a backup operation acts on an attacker-chosen path, yielding SYSTEM-level access. Microsoft has released a patch and reported the flaw itself; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Successful exploitation requires local access plus user interaction, which lowers the realistic threat relative to the 7.3 base score.
Use of a cryptographic primitive with a risky implementation in Windows Key Guard allows an authorized attacker to bypass a security feature locally.
Integer underflow in the Windows Kernel enables a locally authenticated attacker to disclose sensitive kernel memory contents across a broad range of Windows 10, Windows 11, and Windows Server platforms. The CVSS vector (AV:L/AC:L/PR:L/UI:N) confirms that any low-privilege local user can trigger the flaw without special configuration or user interaction, yielding high confidentiality impact with no integrity or availability consequences. Microsoft has released a patch via the July 2026 Security Update Guide; no public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Access of resource using incompatible type ('type confusion') in Composite Image File System Driver allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows Trusted Runtime Interface Driver allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Clip Service (clipboard/cloud clipboard component, cbdhsvc) affects a broad range of Windows 10, Windows 11, and Windows Server 2019-2025 builds, where a race condition in concurrent access to a shared resource lets an already-authenticated local attacker win a timing window to gain higher privileges. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Note a source conflict: the description and CWE describe privilege elevation with high confidentiality/integrity/availability impact, while the intelligence tags label it 'Information Disclosure' - treat the primary impact as local EoP per the CVSS vector.
Local privilege escalation in the Microsoft Windows App Store (AppX/package deployment component) allows an authorized, low-privileged user to win a race condition and gain higher privileges on affected Windows client and server builds spanning Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Exploitation requires local access and already-held low privileges, and the high attack complexity reflects the timing precision needed to win the race. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a patch.
Privilege escalation in the Windows Win32K kernel-mode subsystem lets an already-authenticated local user gain SYSTEM-level control across a broad range of Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through Server 2025). Rooted in improper access control (CWE-284), successful exploitation yields full confidentiality, integrity, and availability impact on the host. There is no public exploit identified at time of analysis and the CVSS vector's high attack complexity (AC:H) tempers the practical risk.
Local privilege escalation in the Windows Win32K kernel-mode subsystem allows an already-authenticated, low-privileged user to elevate to SYSTEM through improper access control (CWE-284). Affected builds span Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. No public exploit identified at time of analysis, and it is not listed in CISA KEV; Microsoft has released a patch.
Local privilege escalation in the Microsoft Windows Graphics Kernel component allows a low-privileged local user to elevate to SYSTEM by exploiting a use-after-free (CWE-416) memory corruption condition. The flaw affects a broad range of Windows 10, Windows 11, and Windows Server releases, was reported by Microsoft, and has a vendor-released patch available. No public exploit is identified at time of analysis and it is not listed in CISA KEV; the high attack complexity (AC:H) makes reliable exploitation non-trivial.
Local privilege escalation in the Windows Kernel lets an already-authenticated, low-privileged user corrupt kernel memory via a use-after-free (CWE-416) and gain higher privileges on the host. The flaw affects a broad range of currently-supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025); Microsoft has shipped a fix. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Insertion of sensitive information into log file in Windows Kernel allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows taskbar (Internal Task Bar component) allows an authenticated attacker to elevate to higher privileges by exploiting a use-after-free memory corruption flaw. The issue affects a broad range of current Windows client and server builds (Windows 10 21H2/22H2, Windows 11 24H2/25H2/26H1, and Windows Server 2025), was reported by Microsoft itself, and is fixed via a vendor patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Integer overflow or wraparound in Windows Spaceport.sys allows an unauthorized attacker to elevate privileges with a physical attack.
Exposure of sensitive information to an unauthorized actor in Windows DirectX allows an unauthorized attacker to disclose information locally.
Local privilege escalation in the Windows Audio Compression Manager (ACM) allows a low-privileged authenticated user to elevate to higher privileges (CVSS 7.8, CWE-284 improper access control). It affects a broad Windows fleet spanning Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Microsoft Windows Resilient File System (ReFS) allows an authenticated low-privileged user to gain elevated (SYSTEM-level) privileges by triggering a stack-based buffer overflow (CWE-121) in the ReFS driver. The flaw affects a broad range of Windows client and server releases, from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows AppX Deployment Service (AppXSvc) lets an already-authenticated, low-privileged user win a race condition to elevate to higher privileges across a broad range of Windows client and server builds (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through 2025). The flaw stems from improper synchronization of a shared resource, and successful exploitation yields full confidentiality, integrity, and availability impact on the host. It is reported by Microsoft with a vendor patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Win32K kernel-mode subsystem allows an already-authenticated low-privileged user to elevate to SYSTEM through an improper access-control flaw. The issue affects a broad range of Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Use of uninitialized resource in Windows SMB allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Spaceport.sys Storage Spaces driver lets an already-authenticated low-privileged user gain SYSTEM-level control across Windows 10, Windows 11, and Windows Server 2016 through 2025. The flaw stems from a missing authentication check on a critical driver function (CWE-306), and Microsoft has released a patch; no public exploit has been identified at time of analysis. With CVSS 7.8 (local, low-privilege) and full confidentiality, integrity, and availability impact, it is a strong candidate for chaining after an initial foothold.
Exposure of sensitive system information to an unauthorized control sphere in Windows Kernel allows an unauthorized attacker to disclose information locally.
Heap-based buffer overflow in Windows USB Video Driver allows an unauthorized attacker to elevate privileges with a physical attack.
Elevation of privilege in Microsoft Windows (Server 2012 through 2025 and Windows 10/11 clients) lets a low-privileged local user gain SYSTEM-level rights by abusing an improper access control (CWE-284) weakness. The flaw was reported by Microsoft with a patch available, and CVSS 3.1 rates it 7.8 (High) with local vector and low privileges required. No public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a patch-worthy but not emergency issue absent evidence of active exploitation.
Local code execution in the Microsoft Windows NTFS file-system driver lets an attacker run arbitrary code by inducing a victim to interact with a specially crafted NTFS artifact (e.g., a malicious volume, VHD, or file). The flaw stems from an integer underflow (CWE-191) and spans a broad range of Windows client and server builds from Windows Server 2012 through Windows Server 2025 and Windows 10/11. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Uncontrolled resource consumption in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to deny service over a network.
Local privilege escalation in the Windows Web Proxy Auto-Discovery Protocol (WPAD) component lets an already-authenticated local user run code with SYSTEM-level rights by triggering an integer overflow (CWE-190). The flaw affects a broad range of Windows client and server builds, from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and high triad impact make it a meaningful patch-tier issue.
Integer overflow or wraparound in Windows Storage Spaces Direct allows an unauthorized attacker to execute code with a physical attack.
Local privilege escalation in the Microsoft Windows Kernel allows an unauthorized attacker to gain elevated (SYSTEM-level) privileges by triggering a use-after-free condition (CWE-416) in kernel memory. The flaw affects a broad range of supported Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local code execution in the Windows NTFS driver (CVE-2026-49797) allows an attacker with local access to run arbitrary code by tricking a user into interacting with a maliciously crafted NTFS artifact, exploiting a heap-based buffer overflow (CWE-122). The flaw affects a broad range of Windows client and server releases from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. Microsoft has released a patch; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Kernel lets an already-authenticated attacker corrupt kernel memory via a use-after-free (CWE-416) and gain full control of the host. The CVSS 3.1 vector (AV:L/PR:L, scope-changed with C:H/I:H/A:H) reflects a low-privileged local user escalating to SYSTEM-level compromise across a broad range of Windows 10, Windows 11, and Windows Server builds. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a patch.
Local code execution in Windows GDI+ (the Graphics Device Interface Plus rendering component) affects a broad range of Microsoft Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. An attacker who convinces a user to open or preview a specially crafted image or document triggers a heap-based buffer overflow (CWE-122) during graphics parsing, yielding arbitrary code execution in the context of the current user. The CVSS 3.1 base score is 7.8 (AV:L/AC:L/PR:N/UI:R); there is no public exploit identified at time of analysis and it is not listed in CISA KEV, but GDI+ image-parsing flaws are historically attractive to attackers.
Out-of-bounds read in Windows USB Audio Class driver (usbaudio.sys) allows an unauthorized attacker to disclose information with a physical attack.
Local privilege escalation via arbitrary code execution in Microsoft Windows Resilient File System (ReFS) affects a broad range of Windows 10, Windows 11, and Windows Server (2016-2025) builds. An authorized (low-privileged) attacker who can trigger the vulnerable heap allocation path can corrupt heap memory (CWE-122) to run code in the security context of the ReFS driver, yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list.
Local code execution in Microsoft's Resilient File System (ReFS) driver allows an authorized (low-privileged) attacker to run arbitrary code with elevated context via a numeric truncation flaw. The bug affects the ReFS component shipped with Windows 10, Windows 11, and Windows Server 2016 through 2025. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; note that the CVE's own tags label it 'Information Disclosure' while the description and CVSS impact (C:H/I:H/A:H) describe full code execution - the code-execution reading should be treated as authoritative.
Local privilege escalation in Microsoft Windows Routing and Remote Access Service (RRAS) allows an already-authenticated low-privileged user to abuse a link-following (symlink/junction) flaw to gain higher privileges on the host. The bug affects a broad range of client and server SKUs from Windows Server 2012 through Windows Server 2025 and Windows 10 1607 through Windows 11 26H1, and Microsoft has shipped a fix. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Elevation of privilege in the Windows Universal Disk Format File System driver (UDFS.sys) lets a low-privileged local user gain elevated (kernel/SYSTEM) rights after the victim mounts or opens a maliciously crafted UDF volume. The flaw stems from an integer arithmetic error (CWE-191) in the driver that parses UDF-formatted media such as ISO images, optical discs, and virtual disk files, and affects a broad range of Windows client and server releases from Windows Server 2012 and Windows 10 1607 through Windows 11 26H1 and Windows Server 2025. Microsoft reported the issue and has shipped a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Microsoft Windows NTFS driver allows an already-authenticated, low-privileged user to gain elevated (likely SYSTEM) privileges by triggering a stack-based buffer overflow, contingent on user interaction. The flaw spans a broad range of supported Windows client and server releases, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. Microsoft has issued a patch and reported the issue itself; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Denial of service in the Windows HTTP/2 network stack allows a remote, unauthenticated attacker to exhaust server resources and render affected services unavailable across a broad range of Windows client and server releases (Windows 10/11 and Windows Server 2016 through 2025). Reported by Microsoft with a vendor patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The 7.5 CVSS reflects high availability impact with no confidentiality or integrity loss.
Denial of service in Microsoft Windows HTTP.sys allows remote unauthenticated attackers to exhaust system resources and make affected hosts unresponsive over the network. The flaw stems from missing resource limits/throttling (CWE-770) in the kernel-mode HTTP protocol stack, affecting a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch is available via MSRC.
Security feature bypass in Windows Secure Boot (CWE-358) allows a locally authenticated attacker on affected Windows 10, Windows 11, and Windows Server (2016 through 2025) systems to defeat the boot-integrity trust chain due to an improperly implemented standard security check. Because Secure Boot is the gate that blocks unsigned/tampered bootloaders and rootkits, a successful bypass can enable pre-OS persistence and undermine downstream protections such as BitLocker and Measured Boot. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV; Microsoft has published a patch via its update guide.
Local privilege escalation in the Windows Clipboard Server (Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025) allows an already-authenticated low-privileged user to win a race condition and gain higher privileges on the host. Microsoft credits its own researchers and has shipped a fix; there is no public exploit identified at time of analysis and the CVSS base score is 7.0 (High). The high attack complexity reflects the timing precision needed to exploit the race, which meaningfully limits reliable weaponization.
Local code execution in Microsoft Windows NTFS (New Technology File System) stems from a heap-based buffer overflow (CWE-122) that lets a local attacker run arbitrary code with high confidentiality, integrity, and availability impact. The flaw affects a broad range of Windows client and server builds - from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025 - and Microsoft has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but NTFS's role as the default Windows filesystem makes the exposed surface extremely wide.
Improper link resolution before file access ('link following') in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally.
Remote code execution in Microsoft Active Directory Domain Services (AD DS) allows an authenticated network attacker to run arbitrary code on domain controllers by triggering a heap-based buffer overflow (CWE-122). Affected platforms span Windows Server 2012 through 2025 (including Server Core) and Windows 10/11 clients acting in AD roles, with Microsoft-issued patches available. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the CVSS 8.8 rating and the sensitivity of the domain-controller attack surface make this a high-priority patch.
Denial of service in the Windows Local Security Authority Subsystem Service (LSASS) allows a remote, unauthenticated attacker to crash the service and disrupt authentication across all supported Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. The flaw stems from an excessive-size memory allocation (CWE-789) triggerable over the network with no privileges or user interaction, and while a vendor patch is available, there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is limited to availability (A:H) with no confidentiality or integrity loss, but LSASS failure can force system instability or reboots, affecting domain authentication and logon.
Windows Cryptographic Services across a broad range of Windows 10, Windows 11, and Windows Server versions fails to release allocated memory after its effective lifetime (CWE-401), enabling a remote unauthenticated attacker to cause a denial-of-service condition over the network. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no elevated privileges against default configurations. Microsoft has released a patch via MSRC advisory CVE-2026-44806; no public exploit or CISA KEV listing has been identified at time of analysis.
Windows Event Logging Service across a wide range of Windows 10, Windows 11, and Windows Server versions fails to enforce its intended protection mechanisms, permitting any authenticated low-privileged network user to read information that should be access-controlled. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms exploitation requires only a valid low-privilege account and network connectivity, with no user interaction and no elevated rights - making it a practical post-compromise lateral-movement or reconnaissance tool. No public exploit code has been identified and this CVE is not listed in CISA KEV at time of analysis, but the ubiquitous deployment footprint across the Windows ecosystem elevates organizational exposure.
Remote code execution in Windows PowerShell allows an authenticated attacker with low privileges to run arbitrary code across a network by exploiting a relative path traversal (CWE-23) flaw, provided a victim is induced to interact (UI:R). Affecting supported Windows 10/11 clients and Windows Server 2012 through 2025, the issue carries a CVSS 8.0 with full confidentiality, integrity, and availability impact, and a vendor patch is available via MSRC. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
Use of uninitialized resource in Windows File Explorer allows an authorized attacker to disclose information locally.
Windows Audio Service on multiple Windows desktop and server versions improperly exposes sensitive information to locally authenticated standard users, enabling information disclosure without requiring elevated privileges. Affecting Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 (with Server 2022 and 2025 referenced in tags), the flaw is exploitable post-foothold by any low-privileged local account, making it a realistic post-exploitation pivot rather than an initial access vector. No public exploit code has been identified at time of analysis, and a vendor-released patch is confirmed available via the Microsoft Security Response Center.
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
Local code execution in Microsoft Windows NTFS driver allows an authenticated attacker to run arbitrary code by triggering a heap-based buffer overflow (CWE-122) after inducing user interaction. The flaw affects a broad range of Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. It was reported by Microsoft, a vendor patch is available, and there is no public exploit identified at time of analysis.
Local privilege escalation in Microsoft Windows Narrator (the built-in screen reader) arises from improper neutralization of special elements in its Braille support component, allowing an already-authenticated local attacker (PR:L) to inject and execute OS commands that run with elevated privileges. All supported Windows client and server builds from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019-2025 are affected, and Microsoft has released a patch. There is no public exploit identified at time of analysis and the CVE is not in CISA KEV, so exploitation is not confirmed as active.
Out-of-bounds read in Windows Kernel allows an authorized attacker to bypass a security feature locally.
Local code execution in Microsoft Windows Media Foundation lets an attacker run arbitrary code in the context of the victim after luring them to open a maliciously crafted media file. The flaw (CVE-2026-58610, CWE-122 heap-based buffer overflow) affects a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. CVSS is 7.8 (AV:L/AC:L/PR:N/UI:R) with full confidentiality, integrity, and availability impact; there is no public exploit identified at time of analysis and it is not on CISA KEV.
Local code execution in the Microsoft Graphics Component affects a broad range of supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through Server 2025). An attacker who convinces a user to open a specially crafted file or content triggers an out-of-bounds read (CWE-125) that Microsoft rates as enabling code execution with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; exploitation requires local access plus user interaction, making it a standard patch-cycle priority rather than an emergency.
Network code execution in the Windows Print Spooler service allows an authenticated attacker to win a synchronization race and run arbitrary code across a broad range of Windows client and server builds (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through 2025). Microsoft rates it CVSS 8.8 with high confidentiality, integrity, and availability impact; a vendor patch is available, and there is no public exploit identified at time of analysis. Note that the CVE description and CVSS indicate remote code execution while the source tags label it 'Information Disclosure' — a discrepancy defenders should verify against the MSRC advisory.
Local privilege escalation in the Windows Virtual Hard Disk (VHD) Miniport Driver lets an authenticated low-privileged user corrupt kernel heap memory and gain SYSTEM-level control. The flaw (CWE-122 heap-based buffer overflow, CVSS 7.8) affects a broad range of Windows 10, Windows 11, and Windows Server builds and was reported by Microsoft. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Microsoft Windows arises from a use-after-free flaw (CWE-416) in the Windows Storage component, affecting Windows 10 (1809, 21H2, 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2019/2022/2025. An authorized attacker who already has low-level access to a machine can trigger the freed-memory reuse to elevate to higher privileges (CVSS 7.0, high attack complexity). Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network.
Null pointer dereference in Windows Active Directory Domain Services (AD DS) enables a low-privileged authenticated attacker to crash the service remotely, causing denial of service across the affected domain. The flaw spans a wide range of Windows client and server releases, from Windows 10 version 1607 through Windows 11 version 26H1 and Windows Server 2012 through 2025. No public exploit code has been identified and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at time of analysis, though the network-accessible attack surface and low privilege requirement lower the bar for abuse in environments with broad domain user access.
Untrusted search path in Microsoft XML allows an unauthorized attacker to bypass a security feature with a physical attack.
Exposure of sensitive information to an unauthorized actor in Windows Push Notifications allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows Push Notifications allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Internal System User Profile component allows an already-authenticated attacker to gain elevated (SYSTEM-level) privileges by triggering a use-after-free memory corruption condition (CWE-416). The flaw affects Windows 10 (21H2/22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2025 including Server Core. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS 7.8 rating and full high impact on confidentiality, integrity, and availability make it a meaningful patch-cycle priority.
Local privilege escalation in the Microsoft Windows USB Driver (kernel-mode) lets an already-authenticated low-privileged user win a race condition (CWE-362) to elevate to SYSTEM. The flaw spans a broad Windows fleet from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit identified at time of analysis, and it is not listed in CISA KEV; a vendor patch is available from Microsoft.
Local code execution in Microsoft Windows arises from a heap-based buffer overflow in a Windows Data DLL, letting an attacker who can get a victim to open crafted content run arbitrary code with the victim's privileges. Affected builds span Windows 10 (1607 through 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2012 through 2025. Microsoft (the reporter) has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Microsoft Install Service (Windows Installer) affects supported Windows 10, Windows 11, and Windows Server 2019-2025 builds, letting an already-authenticated local user with limited rights (PR:L) elevate to SYSTEM. The flaw stems from improper privilege management (CWE-269) in how the service handles operations, yielding full confidentiality, integrity, and availability impact. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows Application Model (the subsystem underlying UWP/packaged app lifecycle and activation) lets an authorized attacker with an existing low-privileged foothold gain SYSTEM-level control by triggering a use-after-free memory-corruption condition. All supported Windows client and server builds from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through Server 2025 are affected. This is a Microsoft-reported flaw with a vendor patch available; there is no public exploit identified at time of analysis and it is not on CISA KEV.
Local privilege escalation in the Microsoft Windows Resilient File System (ReFS) driver allows an authenticated attacker to run code with SYSTEM-level privileges by triggering a heap-based buffer overflow. The flaw (CVSS 7.8) affects a broad range of Windows 10, Windows 11, and Windows Server 2016-2025 builds and carries high confidentiality, integrity, and availability impact. It is a Microsoft-reported issue with a vendor patch available, and there is no public exploit identified at time of analysis.
Buffer over-read in Windows NTFS allows an authorized attacker to disclose information locally.
Remote code execution in Microsoft Windows GDI+ (gdiplus) lets an unauthenticated network attacker run arbitrary code when a victim opens or renders a specially crafted image, via a heap-based buffer overflow (CWE-122). The flaw affects a broad range of supported Windows client and server builds (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through 2025). It carries a critical CVSS 9.6 with a scope-changed impact, but requires user interaction and currently has no public exploit identified at time of analysis.
Local code execution in Microsoft Windows NTFS driver (heap-based buffer overflow, CWE-122) allows an attacker to run arbitrary code with the privileges of the exploited context. The flaw affects a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. CVSS 7.8 with high confidentiality, integrity, and availability impact; exploitation requires local access and user interaction, and there is no public exploit identified at time of analysis.
Local privilege escalation in the Windows Unified Consent System (UCS) lets an already-authenticated attacker exploit a use-after-free memory-corruption flaw (CWE-416) to gain higher privileges, potentially up to SYSTEM. It affects a broad range of current Windows client and server builds including Windows 10 21H2/22H2, Windows 11 24H2/25H2/26H1, and Windows Server 2025. Reported by Microsoft with a CVSS 3.1 base score of 7.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Microsoft Windows TCP/IP stack allows an authenticated attacker to elevate to SYSTEM by exploiting a use-after-free (CWE-416) memory corruption flaw. Affected builds span Windows 10 (1809, 21H2, 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2019/2022/2025 including Server Core. No public exploit identified at time of analysis; Microsoft has released a patch, and the CVSS 7.0 score reflects high attack complexity (likely a race condition) that raises the exploitation bar.
Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally.
Local code execution in Microsoft Windows NTFS arises from a heap-based buffer overflow (CWE-122) that an authorized, low-privileged local user can trigger to run arbitrary code and elevate to SYSTEM. The flaw spans a broad Windows footprint from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit identified at time of analysis, and the CVSS 3.1 base score is 7.8 (High).
Local privilege escalation in Windows App Installer (the MSIX/AppX package deployment component, msixbundle/App Installer) lets an already-authenticated low-privileged user overflow a stack buffer to gain higher privileges on affected Windows 10, Windows 11, and Windows Server builds. Microsoft self-reported the flaw and has shipped a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 7.8 (AV:L/PR:L) rating reflects a locally-launched attack with high confidentiality, integrity, and availability impact.
Local code execution in the Windows NTFS file system driver lets an unauthorized attacker run arbitrary code by tricking a user into interacting with specially crafted content, per Microsoft's MSRC advisory. The flaw is a heap-based buffer overflow (CWE-122) affecting a broad range of Windows releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit is identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and full-CIA impact make it a meaningful local code-execution risk.
Local privilege escalation in the Windows Notification component lets an already-authenticated low-privileged user elevate to higher privileges (SYSTEM) across a broad range of Windows 10, Windows 11, and Windows Server releases. The flaw stems from an incorrect type conversion/cast (CWE-704) and carries a CVSS 7.8 (AV:L/AC:L/PR:L/UI:N) with high confidentiality, integrity, and availability impact. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows NTFS file-system driver allows an authenticated attacker to run code with elevated (SYSTEM-level) privileges by triggering a stack-based buffer overflow (CWE-121). The flaw was reported by Microsoft and affects a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.8 (High).
Privilege escalation in Microsoft Windows SMB Server allows an already-authenticated network attacker to elevate to higher privileges by abusing a flawed authentication algorithm, yielding high confidentiality, integrity, and availability impact. The flaw affects Windows 10 (21H2/22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2022/2025 including Server Core. Reported by Microsoft with a patch available; no public exploit identified at time of analysis.
Local privilege elevation in the Microsoft Windows TCP/IP networking stack lets an already-authenticated, low-privileged user corrupt kernel memory via a use-after-free (CWE-416) and gain SYSTEM-level control. The flaw affects a broad range of client and server SKUs from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025, including Server Core installations. Microsoft reported the issue and has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows Push Notifications component (WNS/WpnService) lets an already-authenticated low-privileged user overwrite adjacent heap memory to gain SYSTEM-level control across Windows 10 (1607-22H2), Windows 11 (24H2-26H1), and Windows Server 2012 R2 through 2025. Microsoft reported the flaw and has shipped a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The high CVSS 7.8 reflects full confidentiality, integrity, and availability impact once triggered, but exploitation requires prior local access.
Local privilege escalation in the Microsoft Windows Kernel allows an already-authenticated attacker to gain SYSTEM-level control by exploiting a use-after-free (CWE-416) memory corruption condition. The flaw affects a broad range of supported Windows client and server releases (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019 through 2025) and, per the CVSS 7.8 vector, yields full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; Microsoft has released a patch.
Local privilege escalation in the Windows Redirected Drive Buffering Subsystem (RDBSS) lets an authenticated low-privileged attacker read memory beyond an allocated buffer to elevate to higher privileges. The flaw affects a broad range of currently-supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, Windows Server 2012 through Server 2025) and carries a CVSS 7.0 (High) rating. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation in the Windows Kernel lets a low-privileged, authenticated attacker gain SYSTEM-level control by triggering a heap-based buffer overflow (CWE-122). The flaw spans a broad platform range from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025, and was reported internally by Microsoft. No public exploit is identified at time of analysis and it is not in CISA KEV, but the ubiquity of the affected component plus full high impact on confidentiality, integrity, and availability make it a meaningful patch priority.
Improper certificate validation in Windows Cryptographic Services allows an unauthorized attacker to bypass a security feature over a network.
Local privilege escalation in Windows Server Backup (WBADMIN component shipped with Windows 10 21H2/22H2 and Windows 11 24H2/25H2/26H1) lets an authorized, low-privileged user abuse a symbolic-link/junction race so that a backup operation acts on an attacker-chosen path, yielding SYSTEM-level access. Microsoft has released a patch and reported the flaw itself; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Successful exploitation requires local access plus user interaction, which lowers the realistic threat relative to the 7.3 base score.
Use of a cryptographic primitive with a risky implementation in Windows Key Guard allows an authorized attacker to bypass a security feature locally.
Integer underflow in the Windows Kernel enables a locally authenticated attacker to disclose sensitive kernel memory contents across a broad range of Windows 10, Windows 11, and Windows Server platforms. The CVSS vector (AV:L/AC:L/PR:L/UI:N) confirms that any low-privilege local user can trigger the flaw without special configuration or user interaction, yielding high confidentiality impact with no integrity or availability consequences. Microsoft has released a patch via the July 2026 Security Update Guide; no public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Access of resource using incompatible type ('type confusion') in Composite Image File System Driver allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows Trusted Runtime Interface Driver allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Clip Service (clipboard/cloud clipboard component, cbdhsvc) affects a broad range of Windows 10, Windows 11, and Windows Server 2019-2025 builds, where a race condition in concurrent access to a shared resource lets an already-authenticated local attacker win a timing window to gain higher privileges. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Note a source conflict: the description and CWE describe privilege elevation with high confidentiality/integrity/availability impact, while the intelligence tags label it 'Information Disclosure' - treat the primary impact as local EoP per the CVSS vector.
Local privilege escalation in the Microsoft Windows App Store (AppX/package deployment component) allows an authorized, low-privileged user to win a race condition and gain higher privileges on affected Windows client and server builds spanning Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Exploitation requires local access and already-held low privileges, and the high attack complexity reflects the timing precision needed to win the race. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a patch.
Privilege escalation in the Windows Win32K kernel-mode subsystem lets an already-authenticated local user gain SYSTEM-level control across a broad range of Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through Server 2025). Rooted in improper access control (CWE-284), successful exploitation yields full confidentiality, integrity, and availability impact on the host. There is no public exploit identified at time of analysis and the CVSS vector's high attack complexity (AC:H) tempers the practical risk.
Local privilege escalation in the Windows Win32K kernel-mode subsystem allows an already-authenticated, low-privileged user to elevate to SYSTEM through improper access control (CWE-284). Affected builds span Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. No public exploit identified at time of analysis, and it is not listed in CISA KEV; Microsoft has released a patch.
Local privilege escalation in the Microsoft Windows Graphics Kernel component allows a low-privileged local user to elevate to SYSTEM by exploiting a use-after-free (CWE-416) memory corruption condition. The flaw affects a broad range of Windows 10, Windows 11, and Windows Server releases, was reported by Microsoft, and has a vendor-released patch available. No public exploit is identified at time of analysis and it is not listed in CISA KEV; the high attack complexity (AC:H) makes reliable exploitation non-trivial.
Local privilege escalation in the Windows Kernel lets an already-authenticated, low-privileged user corrupt kernel memory via a use-after-free (CWE-416) and gain higher privileges on the host. The flaw affects a broad range of currently-supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025); Microsoft has shipped a fix. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Insertion of sensitive information into log file in Windows Kernel allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows taskbar (Internal Task Bar component) allows an authenticated attacker to elevate to higher privileges by exploiting a use-after-free memory corruption flaw. The issue affects a broad range of current Windows client and server builds (Windows 10 21H2/22H2, Windows 11 24H2/25H2/26H1, and Windows Server 2025), was reported by Microsoft itself, and is fixed via a vendor patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Integer overflow or wraparound in Windows Spaceport.sys allows an unauthorized attacker to elevate privileges with a physical attack.
Exposure of sensitive information to an unauthorized actor in Windows DirectX allows an unauthorized attacker to disclose information locally.
Local privilege escalation in the Windows Audio Compression Manager (ACM) allows a low-privileged authenticated user to elevate to higher privileges (CVSS 7.8, CWE-284 improper access control). It affects a broad Windows fleet spanning Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Microsoft Windows Resilient File System (ReFS) allows an authenticated low-privileged user to gain elevated (SYSTEM-level) privileges by triggering a stack-based buffer overflow (CWE-121) in the ReFS driver. The flaw affects a broad range of Windows client and server releases, from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows AppX Deployment Service (AppXSvc) lets an already-authenticated, low-privileged user win a race condition to elevate to higher privileges across a broad range of Windows client and server builds (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through 2025). The flaw stems from improper synchronization of a shared resource, and successful exploitation yields full confidentiality, integrity, and availability impact on the host. It is reported by Microsoft with a vendor patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Win32K kernel-mode subsystem allows an already-authenticated low-privileged user to elevate to SYSTEM through an improper access-control flaw. The issue affects a broad range of Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Use of uninitialized resource in Windows SMB allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Spaceport.sys Storage Spaces driver lets an already-authenticated low-privileged user gain SYSTEM-level control across Windows 10, Windows 11, and Windows Server 2016 through 2025. The flaw stems from a missing authentication check on a critical driver function (CWE-306), and Microsoft has released a patch; no public exploit has been identified at time of analysis. With CVSS 7.8 (local, low-privilege) and full confidentiality, integrity, and availability impact, it is a strong candidate for chaining after an initial foothold.
Exposure of sensitive system information to an unauthorized control sphere in Windows Kernel allows an unauthorized attacker to disclose information locally.
Heap-based buffer overflow in Windows USB Video Driver allows an unauthorized attacker to elevate privileges with a physical attack.
Elevation of privilege in Microsoft Windows (Server 2012 through 2025 and Windows 10/11 clients) lets a low-privileged local user gain SYSTEM-level rights by abusing an improper access control (CWE-284) weakness. The flaw was reported by Microsoft with a patch available, and CVSS 3.1 rates it 7.8 (High) with local vector and low privileges required. No public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a patch-worthy but not emergency issue absent evidence of active exploitation.
Local code execution in the Microsoft Windows NTFS file-system driver lets an attacker run arbitrary code by inducing a victim to interact with a specially crafted NTFS artifact (e.g., a malicious volume, VHD, or file). The flaw stems from an integer underflow (CWE-191) and spans a broad range of Windows client and server builds from Windows Server 2012 through Windows Server 2025 and Windows 10/11. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Uncontrolled resource consumption in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to deny service over a network.
Local privilege escalation in the Windows Web Proxy Auto-Discovery Protocol (WPAD) component lets an already-authenticated local user run code with SYSTEM-level rights by triggering an integer overflow (CWE-190). The flaw affects a broad range of Windows client and server builds, from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and high triad impact make it a meaningful patch-tier issue.
Integer overflow or wraparound in Windows Storage Spaces Direct allows an unauthorized attacker to execute code with a physical attack.
Local privilege escalation in the Microsoft Windows Kernel allows an unauthorized attacker to gain elevated (SYSTEM-level) privileges by triggering a use-after-free condition (CWE-416) in kernel memory. The flaw affects a broad range of supported Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local code execution in the Windows NTFS driver (CVE-2026-49797) allows an attacker with local access to run arbitrary code by tricking a user into interacting with a maliciously crafted NTFS artifact, exploiting a heap-based buffer overflow (CWE-122). The flaw affects a broad range of Windows client and server releases from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. Microsoft has released a patch; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Kernel lets an already-authenticated attacker corrupt kernel memory via a use-after-free (CWE-416) and gain full control of the host. The CVSS 3.1 vector (AV:L/PR:L, scope-changed with C:H/I:H/A:H) reflects a low-privileged local user escalating to SYSTEM-level compromise across a broad range of Windows 10, Windows 11, and Windows Server builds. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a patch.
Local code execution in Windows GDI+ (the Graphics Device Interface Plus rendering component) affects a broad range of Microsoft Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. An attacker who convinces a user to open or preview a specially crafted image or document triggers a heap-based buffer overflow (CWE-122) during graphics parsing, yielding arbitrary code execution in the context of the current user. The CVSS 3.1 base score is 7.8 (AV:L/AC:L/PR:N/UI:R); there is no public exploit identified at time of analysis and it is not listed in CISA KEV, but GDI+ image-parsing flaws are historically attractive to attackers.
Out-of-bounds read in Windows USB Audio Class driver (usbaudio.sys) allows an unauthorized attacker to disclose information with a physical attack.
Local privilege escalation via arbitrary code execution in Microsoft Windows Resilient File System (ReFS) affects a broad range of Windows 10, Windows 11, and Windows Server (2016-2025) builds. An authorized (low-privileged) attacker who can trigger the vulnerable heap allocation path can corrupt heap memory (CWE-122) to run code in the security context of the ReFS driver, yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list.
Local code execution in Microsoft's Resilient File System (ReFS) driver allows an authorized (low-privileged) attacker to run arbitrary code with elevated context via a numeric truncation flaw. The bug affects the ReFS component shipped with Windows 10, Windows 11, and Windows Server 2016 through 2025. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; note that the CVE's own tags label it 'Information Disclosure' while the description and CVSS impact (C:H/I:H/A:H) describe full code execution - the code-execution reading should be treated as authoritative.
Local privilege escalation in Microsoft Windows Routing and Remote Access Service (RRAS) allows an already-authenticated low-privileged user to abuse a link-following (symlink/junction) flaw to gain higher privileges on the host. The bug affects a broad range of client and server SKUs from Windows Server 2012 through Windows Server 2025 and Windows 10 1607 through Windows 11 26H1, and Microsoft has shipped a fix. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Elevation of privilege in the Windows Universal Disk Format File System driver (UDFS.sys) lets a low-privileged local user gain elevated (kernel/SYSTEM) rights after the victim mounts or opens a maliciously crafted UDF volume. The flaw stems from an integer arithmetic error (CWE-191) in the driver that parses UDF-formatted media such as ISO images, optical discs, and virtual disk files, and affects a broad range of Windows client and server releases from Windows Server 2012 and Windows 10 1607 through Windows 11 26H1 and Windows Server 2025. Microsoft reported the issue and has shipped a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Microsoft Windows NTFS driver allows an already-authenticated, low-privileged user to gain elevated (likely SYSTEM) privileges by triggering a stack-based buffer overflow, contingent on user interaction. The flaw spans a broad range of supported Windows client and server releases, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. Microsoft has issued a patch and reported the issue itself; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Denial of service in the Windows HTTP/2 network stack allows a remote, unauthenticated attacker to exhaust server resources and render affected services unavailable across a broad range of Windows client and server releases (Windows 10/11 and Windows Server 2016 through 2025). Reported by Microsoft with a vendor patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The 7.5 CVSS reflects high availability impact with no confidentiality or integrity loss.
Denial of service in Microsoft Windows HTTP.sys allows remote unauthenticated attackers to exhaust system resources and make affected hosts unresponsive over the network. The flaw stems from missing resource limits/throttling (CWE-770) in the kernel-mode HTTP protocol stack, affecting a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch is available via MSRC.
Security feature bypass in Windows Secure Boot (CWE-358) allows a locally authenticated attacker on affected Windows 10, Windows 11, and Windows Server (2016 through 2025) systems to defeat the boot-integrity trust chain due to an improperly implemented standard security check. Because Secure Boot is the gate that blocks unsigned/tampered bootloaders and rootkits, a successful bypass can enable pre-OS persistence and undermine downstream protections such as BitLocker and Measured Boot. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV; Microsoft has published a patch via its update guide.
Local privilege escalation in the Windows Clipboard Server (Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025) allows an already-authenticated low-privileged user to win a race condition and gain higher privileges on the host. Microsoft credits its own researchers and has shipped a fix; there is no public exploit identified at time of analysis and the CVSS base score is 7.0 (High). The high attack complexity reflects the timing precision needed to exploit the race, which meaningfully limits reliable weaponization.
Local code execution in Microsoft Windows NTFS (New Technology File System) stems from a heap-based buffer overflow (CWE-122) that lets a local attacker run arbitrary code with high confidentiality, integrity, and availability impact. The flaw affects a broad range of Windows client and server builds - from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025 - and Microsoft has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but NTFS's role as the default Windows filesystem makes the exposed surface extremely wide.
Improper link resolution before file access ('link following') in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally.
Remote code execution in Microsoft Active Directory Domain Services (AD DS) allows an authenticated network attacker to run arbitrary code on domain controllers by triggering a heap-based buffer overflow (CWE-122). Affected platforms span Windows Server 2012 through 2025 (including Server Core) and Windows 10/11 clients acting in AD roles, with Microsoft-issued patches available. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the CVSS 8.8 rating and the sensitivity of the domain-controller attack surface make this a high-priority patch.
Denial of service in the Windows Local Security Authority Subsystem Service (LSASS) allows a remote, unauthenticated attacker to crash the service and disrupt authentication across all supported Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. The flaw stems from an excessive-size memory allocation (CWE-789) triggerable over the network with no privileges or user interaction, and while a vendor patch is available, there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is limited to availability (A:H) with no confidentiality or integrity loss, but LSASS failure can force system instability or reboots, affecting domain authentication and logon.
Windows Cryptographic Services across a broad range of Windows 10, Windows 11, and Windows Server versions fails to release allocated memory after its effective lifetime (CWE-401), enabling a remote unauthenticated attacker to cause a denial-of-service condition over the network. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no elevated privileges against default configurations. Microsoft has released a patch via MSRC advisory CVE-2026-44806; no public exploit or CISA KEV listing has been identified at time of analysis.
Windows Event Logging Service across a wide range of Windows 10, Windows 11, and Windows Server versions fails to enforce its intended protection mechanisms, permitting any authenticated low-privileged network user to read information that should be access-controlled. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms exploitation requires only a valid low-privilege account and network connectivity, with no user interaction and no elevated rights - making it a practical post-compromise lateral-movement or reconnaissance tool. No public exploit code has been identified and this CVE is not listed in CISA KEV at time of analysis, but the ubiquitous deployment footprint across the Windows ecosystem elevates organizational exposure.
Remote code execution in Windows PowerShell allows an authenticated attacker with low privileges to run arbitrary code across a network by exploiting a relative path traversal (CWE-23) flaw, provided a victim is induced to interact (UI:R). Affecting supported Windows 10/11 clients and Windows Server 2012 through 2025, the issue carries a CVSS 8.0 with full confidentiality, integrity, and availability impact, and a vendor patch is available via MSRC. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
Use of uninitialized resource in Windows File Explorer allows an authorized attacker to disclose information locally.
Windows Audio Service on multiple Windows desktop and server versions improperly exposes sensitive information to locally authenticated standard users, enabling information disclosure without requiring elevated privileges. Affecting Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 (with Server 2022 and 2025 referenced in tags), the flaw is exploitable post-foothold by any low-privileged local account, making it a realistic post-exploitation pivot rather than an initial access vector. No public exploit code has been identified at time of analysis, and a vendor-released patch is confirmed available via the Microsoft Security Response Center.
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
Local code execution in Microsoft Windows NTFS driver allows an authenticated attacker to run arbitrary code by triggering a heap-based buffer overflow (CWE-122) after inducing user interaction. The flaw affects a broad range of Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. It was reported by Microsoft, a vendor patch is available, and there is no public exploit identified at time of analysis.
Local privilege escalation in Microsoft Windows Narrator (the built-in screen reader) arises from improper neutralization of special elements in its Braille support component, allowing an already-authenticated local attacker (PR:L) to inject and execute OS commands that run with elevated privileges. All supported Windows client and server builds from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019-2025 are affected, and Microsoft has released a patch. There is no public exploit identified at time of analysis and the CVE is not in CISA KEV, so exploitation is not confirmed as active.
Out-of-bounds read in Windows Kernel allows an authorized attacker to bypass a security feature locally.
Local code execution in Microsoft Windows Media Foundation lets an attacker run arbitrary code in the context of the victim after luring them to open a maliciously crafted media file. The flaw (CVE-2026-58610, CWE-122 heap-based buffer overflow) affects a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. CVSS is 7.8 (AV:L/AC:L/PR:N/UI:R) with full confidentiality, integrity, and availability impact; there is no public exploit identified at time of analysis and it is not on CISA KEV.
Local code execution in the Microsoft Graphics Component affects a broad range of supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through Server 2025). An attacker who convinces a user to open a specially crafted file or content triggers an out-of-bounds read (CWE-125) that Microsoft rates as enabling code execution with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; exploitation requires local access plus user interaction, making it a standard patch-cycle priority rather than an emergency.
Network code execution in the Windows Print Spooler service allows an authenticated attacker to win a synchronization race and run arbitrary code across a broad range of Windows client and server builds (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through 2025). Microsoft rates it CVSS 8.8 with high confidentiality, integrity, and availability impact; a vendor patch is available, and there is no public exploit identified at time of analysis. Note that the CVE description and CVSS indicate remote code execution while the source tags label it 'Information Disclosure' — a discrepancy defenders should verify against the MSRC advisory.
Local privilege escalation in the Windows Virtual Hard Disk (VHD) Miniport Driver lets an authenticated low-privileged user corrupt kernel heap memory and gain SYSTEM-level control. The flaw (CWE-122 heap-based buffer overflow, CVSS 7.8) affects a broad range of Windows 10, Windows 11, and Windows Server builds and was reported by Microsoft. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Microsoft Windows arises from a use-after-free flaw (CWE-416) in the Windows Storage component, affecting Windows 10 (1809, 21H2, 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2019/2022/2025. An authorized attacker who already has low-level access to a machine can trigger the freed-memory reuse to elevate to higher privileges (CVSS 7.0, high attack complexity). Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network.
Null pointer dereference in Windows Active Directory Domain Services (AD DS) enables a low-privileged authenticated attacker to crash the service remotely, causing denial of service across the affected domain. The flaw spans a wide range of Windows client and server releases, from Windows 10 version 1607 through Windows 11 version 26H1 and Windows Server 2012 through 2025. No public exploit code has been identified and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at time of analysis, though the network-accessible attack surface and low privilege requirement lower the bar for abuse in environments with broad domain user access.
Untrusted search path in Microsoft XML allows an unauthorized attacker to bypass a security feature with a physical attack.