Windows 11 Version 23H2

Improper access control in Universal Plug and Play (upnp.dll) on Windows allows authenticated local attackers to disclose sensitive information without user interaction. The vulnerability affects Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 22H3, 23H2, 24H2, 25H2, 26H1), and Windows Server 2012-2025. Microsoft has released patches available through their security update guide; no public exploit code or active exploitation has been reported at time of analysis.

Windows Snipping Tool leaks sensitive information to unauthenticated network attackers via user interaction, enabling spoofing attacks. The vulnerability affects Windows 10 (versions 1607, 1809, 21H2, 22H2) and Windows 11 (versions 22H3, 23H2, 24H2, 25H2, 26H1), as well as Windows Server 2012 through 2025. Microsoft has released patches for all affected versions; exploitation requires user interaction but no specialized technical knowledge.

Remote code execution vulnerability in Windows IKE Extension affects Windows 10/11 and Windows Server 2016-2025 via double-free memory corruption (CWE-415). Unauthenticated remote attackers can exploit this over the network with low complexity to achieve complete system compromise (CVSS 9.8). Vendor-released patches are available per Microsoft's security update guide. No public exploit identified at time of analysis, but the critical CVSS score and network attack vector indicate high real-world

Remote code execution in Windows TCP/IP networking stack across Windows 10, 11, and Server versions allows unauthenticated network attackers to execute arbitrary code by exploiting a race condition in shared resource synchronization. The vulnerability affects all supported Windows versions from Server 2012 through Windows 11 26H1 and Server 2025. Microsoft has released patches addressing this high-severity flaw (CVSS 8.1). No public exploit identified at time of analysis, though SSVC assessment

Local privilege escalation in Windows Win32K graphics subsystem (Win32K-GRFX) allows authenticated attackers with low privileges to gain SYSTEM-level access by exploiting a race condition during concurrent resource access. Affects all supported Windows 10, Windows 11, and Windows Server versions from 2012 through 2025. Microsoft has released patches addressing this CWE-362 synchronization flaw. No public exploit identified at time of analysis, though the local attack vector and high complexity (

Local privilege escalation in Windows Ancillary Function Driver for WinSock (AFD.sys) affects all supported Windows 10, Windows 11, and Windows Server versions from 2012 through 2025. The CWE-416 use-after-free memory corruption flaw allows low-privileged authenticated attackers with local access to elevate to SYSTEM privileges, achieving complete control over confidentiality, integrity, and availability. SSVC framework rates this as non-automatable with total technical impact. No public exploit

Local privilege escalation via use-after-free in Windows Ancillary Function Driver for WinSock (AFD.sys) allows authenticated low-privileged attackers to execute arbitrary code with SYSTEM privileges across all supported Windows versions. Microsoft has released patches for Windows 10 (versions 1607-22H2), Windows 11 (versions 22H3-25H2), and Windows Server (2012-2022 23H2). The vulnerability requires local access and low privileges (PR:L) with high attack complexity (AC:H), but no public exploit

Windows Shell security feature bypass enables unauthenticated remote attackers to defeat protection mechanisms across all supported Windows client and server versions (Windows 10 1607 through Windows 11 26H1, Server 2012 through Server 2025) via network-based attack requiring user interaction. The CVSS 8.8 rating reflects complete compromise potential (high confidentiality, integrity, and availability impact) despite low attack complexity. Microsoft has released patches addressing this authentic

Local privilege escalation in Windows User Interface Core across Windows 10, 11, and Server 2016-2025 allows low-privileged authenticated users to gain elevated system access via a race condition vulnerability. Attack complexity is high (AC:H), requiring precise timing exploitation of shared resource synchronization flaws. Vendor-released patches are available for all affected versions. No public exploit identified at time of analysis, though the local attack vector and authenticated requirement

Privilege escalation in Windows User Interface Core across Windows 10 (1809-22H2), Windows 11 (22H3-26H1), and Windows Server (2019-2025) allows authenticated local attackers to gain elevated privileges via race condition exploitation. Vendor-released patches available for all affected versions. No public exploit identified at time of analysis. CVSS 7.8 (high) with local attack vector and high complexity (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C) indicates significant real-world risk in multi-user environments where low-privilege users can access affected systems.

Local privilege escalation in Windows COM across Windows 10 (1809, 21H2, 22H2), Windows 11 (22H3-26H1), and Windows Server (2019-2025) allows unauthenticated attackers with local access to achieve full system compromise (high confidentiality, integrity, and availability impact) by exploiting acceptance of untrusted data alongside trusted data. CVSS 8.4 reflects the severe impact of complete privilege escalation despite requiring local access. Vendor-released patch available with specific build n

Desktop Window Manager (DWM) privilege escalation via use-after-free memory corruption affects Windows 10 21H2/22H2, Windows 11 22H3 through 25H2, and Windows Server 2022/2025. Local authenticated attackers with low privileges can exploit this memory corruption flaw to gain SYSTEM-level access, achieving full compromise of confidentiality, integrity, and availability. Vendor-released patches are available across all affected platforms. No public exploit identified at time of analysis, though the

Use-after-free in Microsoft Windows Speech component enables local privilege escalation to SYSTEM on Windows 10 (versions 1809, 21H2, 22H2) and Windows 11 (versions 22H3 through 26H1). Authenticated local attackers with low privileges can exploit memory corruption to gain full system control with low attack complexity and no user interaction required. CVSS 7.8 (High). Vendor-released patches available for all affected versions. No public exploit identified at time of analysis, though the straigh

Windows Shell information disclosure vulnerability (CVE-2026-32151) allows authenticated network attackers to read sensitive data without authorization. The vulnerability affects Windows 10 versions 1607-22H2, Windows 11 versions 22H3-26H1, Windows Server 2012-2025, and associated Server Core installations. Microsoft has released vendor patches for all affected versions; exploitation requires valid credentials and network access but no user interaction.

Local privilege escalation in Microsoft Windows Function Discovery Service (fdwsd.dll) allows low-privileged authenticated users to gain SYSTEM-level access via a race condition. Affects all supported Windows 10, 11, and Server versions from 2012 through 2025. Vendor-released patches available from Microsoft. CVSS 7.0 (high complexity local attack). No public exploit identified at time of analysis, though the race condition class (CWE-362) is well-understood and commonly weaponized once details emerge.

Windows Hyper-V local privilege escalation via improper input validation (CWE-20) enables authenticated low-privilege attackers with user interaction to execute arbitrary code with high confidentiality, integrity, and availability impact across Windows 10 (versions 1607-22H2), Windows 11 (versions 22H3-26H1), and Windows Server (2016-2025). Microsoft released patches addressing the vulnerability with EPSS exploitation probability data not available; no public exploit identified at time of analys

Local privilege escalation in Microsoft Brokering File System across Windows 10, Windows 11, and Windows Server platforms allows unauthenticated attackers to achieve SYSTEM-level access via race condition exploitation. Affects all supported Windows versions from Server 2016 through Windows 11 26H1, with vendor patches released addressing the CWE-362 synchronization flaw. CVSS 8.4 severity reflects low attack complexity requiring no user interaction, though exploitation requires local access. No

Windows Biometric Service contains a race condition in concurrent resource access that allows unauthorized attackers to bypass biometric authentication controls via physical attack, affecting Windows 10 (versions 1809, 21H2, 22H2), Windows 11 (versions 22H3, 23H2, 24H2, 25H2, 26H1), and Windows Server 2019, 2022, and 2025. The vulnerability requires physical access to the device and carries a moderate CVSS score of 6.1 (physical attack vector); Microsoft has released patches for all affected versions.

Privilege escalation in Windows Function Discovery Service (fdwsd.dll) allows authenticated local attackers to gain SYSTEM-level access by exploiting a race condition during shared resource handling. Affects all supported Windows 10/11 client versions and Windows Server 2012 through 2025. Vendor-released patches are available per Microsoft's May 2026 Patch Tuesday. No public exploit identified at time of analysis, but CVSS 7.0 reflects high complexity local attack requiring low privileges.

Windows File Explorer exposes sensitive information to authenticated local users with low privileges, allowing them to read confidential data without modification or service disruption. This affects multiple Windows 10 and Windows 11 versions, as well as Windows Server 2012 through 2025. Microsoft has released patches addressing the information disclosure vector; exploitation requires local system access and valid user credentials.

Windows File Explorer information disclosure vulnerability in Windows 10 and Windows 11 allows authenticated local attackers to read sensitive files through a flaw in access control validation. CVSS 5.5 indicates moderate risk with confidentiality impact but no integrity or availability compromise. Patch available from Microsoft; no public exploit code or active exploitation confirmed at time of analysis.

Local privilege escalation in Windows Projected File System (ProjFS) across Windows 10, Windows 11, and Windows Server 2019-2025 allows authenticated low-privileged users to gain SYSTEM-level control via use-after-free memory corruption. Attack requires local access and low-privileged credentials (CVSS PR:L) but no user interaction, enabling complete compromise of confidentiality, integrity, and availability. Vendor-released patches are available for all affected versions. No public exploit identified at time of analysis, though the vulnerability class (use-after-free) is well-understood and commonly targeted once details emerge.

Untrusted pointer dereference in Windows Universal Plug and Play (UPnP) Device Host enables authenticated local attackers to elevate privileges to SYSTEM level across all supported Windows 10, Windows 11, and Windows Server versions from 2012 through 2025. The vulnerability (CWE-822) requires low-privilege authenticated access and minimal attack complexity (CVSS 7.8, AV:L/AC:L/PR:L). No public exploit identified at time of analysis. Microsoft released patches for all affected versions including

Local privilege escalation in Windows Storage Spaces Controller (Windows 11 22H2-26H1, Server 2022-2025) enables low-privileged authenticated users to gain SYSTEM-level access via out-of-bounds read exploitation. CVSS 7.8 (High). No public exploit identified at time of analysis, but ENISA EUVD tracking indicates European regulatory attention. Vendor-released patches available for all affected versions.

Local privilege escalation via double free vulnerability in Windows Projected File System (ProjFS) enables low-privileged authenticated users to achieve SYSTEM-level access across Windows 10, Windows 11, and Windows Server environments. The CWE-415 memory corruption flaw requires low attack complexity and no user interaction, affecting all actively supported Windows versions from legacy 1809 builds through current 26H1 releases. Vendor-released patches are available with build numbers confirmed

Improper authentication in Windows Active Directory enables local spoofing attacks on unauthenticated users, allowing attackers with local access to bypass authentication mechanisms and gain unauthorized access to sensitive information. This vulnerability affects multiple Windows 10 and Windows 11 versions as well as Windows Server 2016 through 2025. A vendor-released patch is available from Microsoft, and the moderate CVSS score (6.2) reflects the local attack vector requirement combined with high confidentiality impact.

Local privilege escalation in Windows Common Log File System (CLFS) Driver affects Windows 10, 11, and Server 2012-2025 through a use-after-free memory corruption flaw. Authenticated local attackers with low privileges can exploit this vulnerability to gain SYSTEM-level access, achieving full control over confidentiality, integrity, and availability. While no public exploit identified at time of analysis, the Windows CLFS driver has been a frequent target for privilege escalation exploits histor

Privilege escalation in Windows Projected File System (ProjFS) enables low-privileged local users to gain SYSTEM-level control through a double-free memory corruption vulnerability across Windows 10, 11, and Server 2019-2025. Vendor-released patch available for all affected versions (build numbers 10.0.17763.8644+, 10.0.19044.7184+, 10.0.22631.6936+, 10.0.26100.32690+, and newer). No public exploit identified at time of analysis, though the local attack vector with low complexity (CVSS AV:L/AC:L

Local privilege escalation in Windows SSDP Service affects all supported Windows 10, Windows 11, and Windows Server versions from 2012 through 2025 via a race condition vulnerability. Authenticated local users with low privileges can exploit improper synchronization in shared resource access to gain SYSTEM-level privileges, achieving full system compromise. Vendor-released patches are available across all affected versions. No public exploit identified at time of analysis, though the local attack vector and high impact warrant priority patching on multi-user or sensitive systems.

Out-of-bounds read in Windows GDI allows local unauthenticated attackers to disclose sensitive information with user interaction. The vulnerability affects Windows 10 versions 1607, 1809, 21H2, and 22H2, all Windows 11 versions from 22H3 through 26H1, and Windows Server 2012 through 2025. No public exploit code or active exploitation has been confirmed; a vendor patch is available.

Use-after-free memory corruption in Windows UPnP Device Host enables unauthenticated adjacent network attackers to disclose sensitive information with CVSS 6.5 high severity. The vulnerability affects Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 22H3, 23H2, 24H2, 25H2, 26H1), and multiple Windows Server editions (2012 through 2025). Microsoft has released patches with specific version thresholds; exploitation requires network adjacency but no authentication or user interaction.

Desktop Window Manager (DWM) use-after-free memory corruption allows authenticated local attackers to escalate privileges to SYSTEM on all supported Windows 10, Windows 11, and Windows Server versions (2012-2025). The vulnerability enables low-privileged users to gain complete control over affected systems with low attack complexity and no user interaction required. Vendor-released patches are available across all affected versions. No public exploit identified at time of analysis, though the st

Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) affects all Windows 10, Windows 11, and Windows Server versions from 2012 through 2025 via a use-after-free memory corruption flaw. Authenticated local attackers with low privileges can exploit this CWE-416 vulnerability to achieve full system compromise (SYSTEM-level access), though the high attack complexity (AC:H) suggests exploitation requires precise timing or race condition manipulation. No public exp

Local privilege escalation in Windows Universal Plug and Play Device Host service affects all supported Windows 10, Windows 11, and Windows Server versions via untrusted pointer dereference (CWE-822). Low-complexity attack requires low-level authenticated access (PR:L) with no user interaction, enabling complete system compromise (C:H/I:H/A:H). Microsoft released patches in May 2025 for 21 affected product versions. No public exploit identified at time of analysis, though the local attack vector

Windows Universal Plug and Play (UPnP) Device Host privilege escalation allows authenticated local attackers to gain SYSTEM-level access via use-after-free memory corruption. Affects all supported Windows versions from Server 2012 through Windows 11 26H1 and Windows Server 2025. Vendor-released patches available. Attack requires low complexity with no user interaction (CVSS:3.1 AV:L/AC:L/PR:L/UI:N). No public exploit identified at time of analysis, though the primitive nature of use-after-free v

Microsoft Management Console privilege escalation affects all supported Windows versions (10, 11, Server 2012-2025) via improper access control, allowing authenticated local users to gain SYSTEM-level privileges. CVSS 7.8 (High) reflects significant impact with low attack complexity requiring only low-level user credentials. Vendor-released patches available across all affected platforms through Microsoft's May 2025 update cycle. No public exploit identified at time of analysis, though the authe

Race condition in Windows User Interface Core (MSRC patch CVE-2026-27911) enables low-privileged authenticated attackers to elevate privileges to SYSTEM level on Windows 10, Windows 11, and Windows Server 2016-2025 systems. The flaw stems from improper synchronization when multiple threads concurrently access shared resources in the UI subsystem, creating a time-of-check-time-of-use (TOCTOU) window exploitable for privilege escalation. Patch available per vendor advisory. No public exploit ident

Windows Installer privilege escalation via improper permission handling enables authenticated local users to gain SYSTEM-level access across all supported Windows 10, 11, and Server platforms (2012-2025). The vulnerability (CWE-280: Improper Handling of Insufficient Privileges) requires low-privilege local access but offers complete system compromise with low attack complexity. CVSS 7.8 High severity reflects full confidentiality, integrity, and availability impact. Vendor-released patches are a

Local privilege escalation in Microsoft Windows Search Component affects Windows 10 (1607-22H2), Windows 11 (22H3-26H1), and Windows Server (2012-2025) via use-after-free memory corruption (CWE-416). Authenticated local attackers with low privileges can exploit this vulnerability to gain SYSTEM-level access with low attack complexity and no user interaction required (CVSS 7.8). Vendor-released patches available for all affected versions; no public exploit identified at time of analysis.

Windows Projected File System buffer over-read allows authenticated local attackers with low privileges to escalate to high integrity, potentially achieving SYSTEM-level access across Windows 10, Windows 11, and Windows Server platforms. This CWE-126 memory disclosure vulnerability scores 7.8 CVSS with straightforward exploitation (low complexity, no user interaction), affecting extensive Windows infrastructure from legacy 1809 through current 26H1 builds. No public exploit identified at time of

Local privilege escalation in Windows Ancillary Function Driver for WinSock (AFD.sys) allows authenticated low-privilege users to gain SYSTEM-level access through use-after-free memory corruption. Affects all supported Windows 10, Windows 11, and Windows Server versions from 2012 through 2025, including Server Core installations. Vendor-released patches available across all affected platforms. No public exploit identified at time of analysis, though high-complexity local exploitation (CVSS AC:H)

Integer size truncation in Windows Advanced Rasterization Platform (WARP) enables unauthenticated remote attackers to achieve code execution with elevated privileges across Windows 10, 11, and Server editions by persuading users to interact with malicious content. Microsoft has released security updates addressing this vulnerability across all supported Windows versions. No public exploit identified at time of analysis, though the unauthenticated remote attack vector (CVSS AV:N/PR:N) combined wi

Local privilege escalation in Windows Ancillary Function Driver for WinSock affects all supported Windows 10, 11, and Server versions through use-after-free memory corruption. Authenticated local attackers with low privileges can exploit this CWE-416 vulnerability to gain SYSTEM-level access, achieving high impact to confidentiality, integrity, and availability. Vendor-released patches are available across all affected platforms. No public exploit identified at time of analysis, though the high

Local privilege escalation in Windows Client Side Caching driver (csc.sys) allows authenticated users with low privileges to gain SYSTEM-level access via heap-based buffer overflow exploitation. Affects all supported Windows 10, Windows 11, and Windows Server versions (2012 through 2025). Vendor-released patches are available from Microsoft as of early 2026. No public exploit identified at time of analysis, though the straightforward attack complexity (AC:L) and no user interaction requirement (

Local privilege escalation in Windows Ancillary Function Driver for WinSock (AFD.sys) across Windows 10, 11, and Server 2012-2025 allows low-privileged authenticated attackers to gain SYSTEM-level access via race condition exploitation. The vulnerability affects widespread Windows deployments spanning a decade of operating system versions, from Server 2012 (6.2.9200.0) through Windows 11 26H1 and Server 2025. Microsoft has released patches for all affected versions. No public exploit identified

Local privilege escalation in Windows Push Notifications service affects Windows 10 21H2/22H2, Windows 11 22H3-26H1, and Windows Server 2022/2025 via race condition vulnerability. Authenticated low-privilege attackers can gain SYSTEM-level privileges through improper synchronization during concurrent operations (CWE-362). CVSS 7.8 (High) with high attack complexity (AC:H) and scope change (S:C). No public exploit identified at time of analysis. Microsoft released patches in January 2026 security

Microsoft PowerShell privilege escalation affecting Windows 10/11 and Server 2016-2025 allows authenticated local attackers with low privileges to gain SYSTEM-level access through improper input validation (CWE-20). The vulnerability has a CVSS score of 7.8 with low attack complexity and requires no user interaction, enabling straightforward exploitation by any standard user account. No public exploit identified at time of analysis, though the attack vector's simplicity (AV:L/AC:L/PR:L/UI:N) sug

Buffer over-read in Windows Kernel Memory allows authenticated local attackers to disclose sensitive kernel information with high confidence. CVE-2026-26169 affects Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 22H3 through 26H1), and Windows Server 2016 through 2025. The vulnerability requires local access and low-level user privileges but does not enable privilege escalation or code execution. Microsoft has released vendor patches addressing the issue across all affected versions.

Local privilege escalation in Windows Ancillary Function Driver for WinSock (AFD.sys) allows authenticated attackers with low privileges to gain SYSTEM-level access through a race condition vulnerability. Affects all supported Windows 10, Windows 11, and Windows Server versions from 2012 through 2025. Vendor-released patches available across all affected product lines. Attack complexity rated high (AC:H) but enables full system compromise with changed scope (S:C), indicating container/hypervisor escape potential. No public exploit identified at time of analysis, though the race condition class (CWE-362) is well-understood by exploit developers.

Windows Kernel double free vulnerability enables local privilege escalation across Windows 10, 11, and Server editions when exploited by authenticated users with low-level privileges. The CWE-415 flaw affects all currently supported Windows versions from legacy Windows Server 2012 R2 through the latest Windows 11 26H1 and Windows Server 2025 builds. With CVSS 7.8 (AV:L/AC:L/PR:L), the vulnerability requires only local access and low-privilege authentication, making it valuable for second-stage a

Local privilege escalation in Windows Remote Desktop Licensing Service (affecting Windows 10 1607 through Windows Server 2025) allows low-privileged authenticated users to gain SYSTEM-level access by exploiting missing authentication on critical service functions. The vulnerability (CWE-306) requires local access and low-privilege credentials but enables complete system compromise with low attack complexity. Vendor-released patches are available across all affected Windows versions. No public ex

Heap-based buffer overflow in Windows Hyper-V enables local code execution with high impact across Windows 10, Windows 11, and Windows Server environments. An unauthenticated attacker with local access can trigger the vulnerability through user interaction (CVSS:3.1 AV:L/AC:L/PR:N/UI:R), achieving full system compromise (C:H/I:H/A:H). Microsoft has released patches addressing 17 affected Windows versions ranging from legacy Windows 10 1607 through Windows 11 26H1 and Windows Server 2025. No publ

Out-of-bounds read in Windows Encrypting File System (EFS) enables low-privileged local attackers to escalate to SYSTEM privileges on Windows 10 (versions 1809, 21H2, 22H2), Windows 11 (versions 22H3 through 26H1), and Windows Server 2019/2022/2025. The vulnerability (CWE-125) requires local access and low-level privileges but no user interaction, yielding complete system compromise with high impact to confidentiality, integrity, and availability (CVSS 7.8). Vendor-released patches are available

Local privilege escalation in Windows Cryptographic Services affects Windows 10, Windows 11, and Windows Server versions from 2012 through 2025 due to insecure storage of cryptographic material. Authenticated attackers with low privileges can exploit this CWE-922 weakness (insecure storage of sensitive information) to gain high-level access to confidentiality, integrity, and availability. Microsoft has released patches for all affected versions. No public exploit identified at time of analysis,

Type confusion in Windows COM component allows authenticated local attackers to read sensitive information from memory. The vulnerability affects Windows 10 (versions 1809, 21H2, 22H2), Windows 11 (versions 22H3 through 26H1), and Windows Server 2019/2022/2025 across multiple installation types. An attacker with local user privileges can exploit improper type handling in COM to disclose confidential data without modifying or disrupting system availability. Microsoft has released patches addressing this information disclosure risk.

Windows Recovery Environment Agent improperly stores sensitive information without adequate removal, allowing physical attackers to extract confidential data and bypass security features. The vulnerability affects Windows 10 versions 1607-22H2, Windows 11 versions 22H3-26H1, Windows Server 2016-2025, and Server Core installations across multiple builds. Microsoft has released vendor patches to remediate the information disclosure.

Improper link resolution in Windows UPnP (upnp.dll) allows authenticated local attackers to disclose sensitive information through symlink following. The vulnerability affects Windows 10 versions 1607-22H2, Windows 11 versions 22H3-26H1, and Windows Server 2012-2025. With local access and standard user privileges, an attacker can read files outside their normal access scope via crafted UPnP operations. Patch available from Microsoft; no public exploit code or active exploitation confirmed at tim

Local privilege escalation in Windows Container Isolation FS Filter Driver affects all supported Windows 10, Windows 11, and Windows Server versions through use-after-free memory corruption. Low-complexity attack requires only low-privileged local access to achieve full system compromise (SYSTEM-level privileges). Microsoft has released patches for all affected versions. No public exploit identified at time of analysis, but the low attack complexity (AC:L) and requirement for only low privileges

Denial of service in Windows HTTP.sys kernel-mode driver allows unauthenticated remote attackers to crash affected systems via malformed HTTP requests. Affects all currently supported Windows 11 versions (22H2 through 26H1) and Windows Server 2022/2025 editions. The vulnerability stems from an out-of-bounds read (CWE-125) triggered when HTTP.sys processes specially crafted network packets without authentication (CVSS AV:N/PR:N). Vendor-released patches available for all affected versions with specific build numbers identified. No public exploit identified at time of analysis, though low attack complexity (AC:L) suggests straightforward exploitation once technical details emerge.

Windows Kernel logs sensitive information that authenticated local users can read, enabling information disclosure on Windows 10 (versions 21H2, 22H2), Windows 11 (versions 22H3, 23H2, 24H2, 25H2, 26H1), Windows Server 2022, and Windows Server 2025. An attacker with local user privileges can access kernel log files to retrieve confidential data such as credentials, cryptographic material, or system secrets. Microsoft has released patches addressing this log injection vulnerability; no public exploit code or active exploitation has been confirmed.

Windows Kernel logs sensitive information that can be read by local authenticated users, allowing information disclosure on Windows 10 and Windows 11 systems across multiple versions as well as Windows Server 2012 through 2025. The vulnerability requires local access and valid user credentials (privilege level L) but results in high confidentiality impact. Microsoft has released patches for all affected versions.

Windows Kernel logs sensitive information that authenticated local users can read, enabling information disclosure on Windows 10 (versions 1809, 21H2, 22H2), Windows 11 (versions 22H3, 23H2, 24H2, 25H2, 26H1), Windows Server 2019, 2022, and 2025. An authorized local attacker with user-level privileges can access kernel log files to retrieve confidential data without elevated rights or user interaction. Microsoft has released patches addressing this CWE-532 insertion-of-sensitive-information vulnerability with specific build fixes across all affected editions.

Windows Shell protection mechanism failure (CVE-2026-32202) allows remote attackers to perform spoofing attacks over a network without authentication, requiring only user interaction. This low-severity vulnerability affects multiple Windows versions from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through 2025. While not actively exploited in the wild, vendor patches are available across all affected versions, and the low CVSS score (4.3) reflects limited confidentiality impact and no availability impact despite the network-accessible attack vector.

Command injection in Windows Snipping Tool allows local code execution when an unauthorized attacker convinces a user to open a specially crafted file. This vulnerability affects all supported Windows 10, Windows 11, and Windows Server versions (2012 through 2025), requiring user interaction but no authentication (PR:N). No public exploit identified at time of analysis, though the local attack vector and user interaction requirement limit immediate remote threat. CVSS 7.8 reflects high impact ac

Improper privilege management in Microsoft Windows allows authenticated local attackers to deny service by exploiting a privilege escalation flaw affecting Windows 10 versions 21H2 and 22H2, Windows 11 versions 22H3 through 26H1, and Windows Server 2022 and 2025. The vulnerability requires local access and valid credentials but does not permit code execution or data manipulation. CVSS 5.5 reflects moderate severity; CISA SSVC framework rates exploitation as none with partial technical impact, indicating this is not currently a priority threat despite patch availability.

Local privilege escalation in Windows User Interface Core across Windows 10, 11, and Server 2019-2025 allows low-privileged authenticated attackers to achieve SYSTEM-level access via use-after-free memory corruption. The vulnerability requires high attack complexity and local access but enables container escape (scope change) with full confidentiality, integrity, and availability impact. Vendor-released patches are available for all affected versions. No public exploit identified at time of analysis, though the use-after-free primitive is a well-understood exploitation technique.

Local privilege escalation in Windows Push Notifications service affects Windows 10 (1809-22H2), Windows 11 (22H3-26H1), and Windows Server 2019-2025 via race condition in shared resource synchronization. Low-privileged authenticated users can exploit timing vulnerabilities in notification handling to elevate to SYSTEM-level privileges with high confidentiality, integrity, and availability impact (scope change to other security contexts). CVSS 7.8 (high complexity, local vector). Vendor-released

Privilege escalation in Windows Push Notifications service affects all supported Windows 10, 11, and Server versions through a race condition that allows low-privileged authenticated users to gain SYSTEM-level access. The vulnerability (CWE-362) stems from improper synchronization when multiple threads access shared resources in the notification subsystem. Attack complexity is high (AC:H), requiring precise timing to win the race, but successful exploitation grants complete system compromise wit

Privilege escalation in Windows Push Notifications service across Windows 10, 11, and Server versions (1809 through 26H1) allows low-privileged local attackers to gain SYSTEM-level access via race condition exploitation. The vulnerability stems from improper synchronization when multiple threads access shared resources in the notification framework, enabling scope escape from user context to elevated privileges. Vendor-released patches are available for all affected versions. No public exploit i

Remote code execution in Microsoft Remote Desktop Client for Windows allows unauthenticated network attackers to execute arbitrary code by delivering a malicious connection file or server response, requiring user interaction. This use-after-free vulnerability (CWE-416) affects Windows 10 (versions 1607-22H2), Windows 11 (22H3-26H1), Windows Server (2012-2025), and standalone Remote Desktop client versions below 2.0.1070.0. With CVSS 8.8 (network-accessible, no authentication required, low comple

Local code execution in Windows Universal Plug and Play (UPnP) Device Host across all supported Windows 10, 11, and Server versions allows unauthenticated attackers to achieve high-impact compromise via use-after-free memory corruption. The vulnerability affects Windows 10 versions 1607 through 22H2, Windows 11 versions 22H3 through 26H1, and Windows Server 2012 through 2025 (including Server Core installations). Despite requiring local access and high attack complexity (CVSS:3.1/AV:L/AC:H), the

Local privilege escalation in Microsoft Desktop Window Manager (dwm.exe) affects all supported Windows 10, Windows 11, and Windows Server versions via a use-after-free memory corruption flaw. Authenticated local attackers with low privileges can exploit this CWE-416 weakness to gain SYSTEM-level access with low attack complexity, requiring no user interaction. No public exploit identified at time of analysis, and SSVC framework assesses exploitation status as 'none' with non-automatable attack r

Desktop Window Manager (DWM) use-after-free vulnerability enables local privilege escalation to SYSTEM on Windows 11 and Server 2022/2025. Low-complexity attack requires only low-privileged authenticated access with no user interaction, affecting all current Windows 11 versions (22H2 through 26H1) and Server editions. Vendor-released patches available as of May 2026. CVSS 7.8 (High) reflects significant local privilege escalation risk; no public exploit identified at time of analysis, though the

Local privilege escalation in Microsoft Windows Function Discovery Service (fdwsd.dll) allows authenticated low-privilege attackers to gain SYSTEM-level access via race condition exploitation across all supported Windows 10, Windows 11, and Windows Server versions (2012-2025). The vulnerability requires local access and low privileges (CVSS PR:L) with high attack complexity (AC:H), yielding complete system compromise (C:H/I:H/A:H). Microsoft released patches addressing build versions up to 10.0.26100.32690 (Server 2025) and 10.0.28000.1836 (Windows 11 26H1). EPSS data not available; no public exploit identified at time of analysis.

Local privilege escalation in Windows Speech Brokered API affects Windows 10 (1607-22H2), Windows 11 (22H3-26H1), and Windows Server 2016-2025 via race condition (CWE-362). Authenticated local attackers with low privileges can exploit improper synchronization in shared resource handling to gain SYSTEM-level access with high impact to confidentiality, integrity, and availability (CVSS 7.8, AV:L/AC:L/PR:L). Vendor-released patches available for all affected versions. No public exploit identified a

Local privilege escalation in Windows Speech Brokered API affects all Windows 10, 11, and Server versions from 2016 onward via a use-after-free memory corruption flaw. Authenticated local attackers with low privileges can exploit this to gain SYSTEM-level access with low attack complexity and no user interaction required (CVSS 7.8). Vendor-released patches are available from Microsoft's May 2026 security updates. No public exploit identified at time of analysis, though the low complexity and wid

Heap-based buffer overflow in Microsoft Windows Function Discovery Service (fdwsd.dll) enables low-privileged authenticated local attackers to escalate privileges to SYSTEM across Windows 10, Windows 11, and Windows Server 2012-2025. Vendor-released patch available per Microsoft Security Response Center advisory. No public exploit identified at time of analysis, though the CVSS vector indicates local access with high attack complexity (AC:H), requiring authenticated low-privilege users (PR:L). A

Windows Remote Procedure Call (RPC) discloses sensitive information to local authenticated users in Windows 10, Windows 11, and Windows Server 2016-2025. An authorized attacker with local access and limited privileges can read confidential data without user interaction, affecting multiple Windows editions across a 9-year product span. Patch availability confirmed from Microsoft; no active exploitation reported.

Local privilege escalation in Windows SSDP Service (all Windows 10, 11, and Server versions from 2012 onwards) enables low-privileged authenticated users to gain SYSTEM-level access by exploiting a race condition in shared resource handling. The vulnerability requires low privileges and high attack complexity (CVSS AC:H), resulting in complete compromise of confidentiality, integrity, and availability. Vendor-released patches are available for all affected versions with specific build numbers pr

Local privilege escalation in Windows SSDP Service across Windows 10, Windows 11, and Windows Server 2012-2025 allows authenticated users with low privileges to gain SYSTEM-level access by exploiting a race condition in shared resource handling. Attack complexity is high (AC:H), requiring precise timing to win the race window. Patch available per vendor advisory; no public exploit identified at time of analysis.

Windows File Explorer information disclosure vulnerability in Windows 10 and Windows 11 allows authenticated local users to access sensitive information without authorization. The vulnerability affects multiple Windows 10 versions (1607, 1809, 21H2, 22H2), Windows 11 versions (22H3 through 26H1), and Windows Server 2016 through 2025. Microsoft has released patches addressing this CWE-200 information exposure flaw, with no evidence of active exploitation at the time of analysis.

Local privilege escalation in Windows Universal Plug and Play (UPnP) Device Host allows authenticated attackers with low privileges to achieve system-level access through use-after-free memory corruption. Affects all supported Windows 10, Windows 11, and Windows Server versions from 2012 through 2025. Microsoft has released patches across all affected product lines. No public exploit identified at time of analysis, though the local attack vector and authentication requirement (PR:L) limit immedi

Local privilege escalation via use-after-free in Windows Ancillary Function Driver for WinSock (AFD.sys) affects all supported Windows versions from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012-2025. Authenticated local attackers with low privileges can exploit memory corruption to gain SYSTEM-level access, though high attack complexity suggests reliable exploitation requires sophisticated techniques. Vendor-released patches are available across all affected versions. No publi

Remote denial-of-service in Windows Local Security Authority Subsystem Service (LSASS) allows unauthenticated network attackers to crash Windows systems through null pointer dereference exploitation. Affects Windows 10 (versions 1607-22H2), Windows 11 (22H3-26H1), and Windows Server (2016-2025) across multiple release channels. Microsoft has released patches for all affected versions. No public exploit identified at time of analysis, but the low attack complexity (AC:L) and unauthenticated netwo

Out-of-bounds read in Windows GDI (Graphics Device Interface) allows local attackers to disclose sensitive information without authentication. The vulnerability affects Windows 10 versions 21H2 and 22H2, Windows 11 versions 22H3 through 26H1, and Windows Server 2022/2025, requiring user interaction to trigger. Microsoft has released patches for all affected versions, with specific build numbers provided for remediation.

Windows LUAFV driver privilege escalation via TOCTOU race condition allows authenticated local attackers with low privileges to gain SYSTEM-level access across all supported Windows 10, Windows 11, and Windows Server versions (2012 through 2025). The vulnerability requires high attack complexity to exploit the narrow timing window between security checks and file operations. Vendor-released patch available across all affected platforms. No public exploit identified at time of analysis, though th

Privilege escalation in Windows Projected File System across Windows 10, 11, and Server versions allows authenticated local users to gain SYSTEM-level privileges by exploiting a race condition during concurrent file system operations. Affects all currently supported Windows versions from Server 2019 through Windows 11 26H1. Microsoft released patches in their latest security update cycle. No public exploit identified at time of analysis, though the low attack complexity (AC:L) and minimal privil

Local privilege escalation in Windows Cloud Files Mini Filter Driver (all Windows 10/11 and Server 2019/2022/2025 versions) allows low-privileged authenticated users to gain SYSTEM-level access through a race condition vulnerability. Attack requires high complexity timing manipulation of shared resources in the kernel-mode filter driver. Vendor-released patches available for all affected versions. No public exploit identified at time of analysis, though the authenticated local attack vector and detailed version-specific fix data suggest moderate real-world deployment risk in multi-user Windows environments.

Desktop Window Manager (DWM) in Windows 10 21H2/22H2, Windows 11 22H3/23H2, and Windows Server 2022 allows authenticated local attackers with low privileges to elevate to SYSTEM via a use-after-free memory corruption flaw. CVSS 7.8 (High). Vendor-released patch available. No public exploit identified at time of analysis, though EPSS data not provided. This is a post-authentication escalation requiring initial local foothold, not a remote intrusion vector.

Local privilege escalation in Windows TCP/IP stack across Windows 10, 11, and Server editions allows low-privileged authenticated users to gain SYSTEM-level access by exploiting a race condition in shared resource synchronization. This CWE-362 flaw affects every supported Windows version from legacy Server 2012 through cutting-edge Windows 11 26H1, with vendor-released patches available. The local attack vector (AV:L) and high complexity (AC:H) reduce immediate mass-exploitation risk, though the