Windows 11 Version 24H2
Monthly
Spoofing via origin validation error in the Windows Network Address Translation (NAT) component affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, including Server Core installations. An unauthenticated attacker positioned on an adjacent network segment can bypass origin/authentication checks (CWE-346) to impersonate a trusted source, with Microsoft rating scope-changed high impact to confidentiality, integrity, and availability (CVSS 8.3). No public exploit identified at time of analysis, though high attack complexity limits reliable exploitation.
Missing cryptographic step in Windows Boot Loader allows an authorized attacker to bypass a security feature locally.
Local privilege escalation in the Microsoft Windows Client-Side Caching (CSC) Service, driven by a use-after-free (CWE-416) memory-corruption flaw affecting Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. An authorized attacker who already holds low-level privileges (PR:L) on the host can trigger the freed-object reuse to gain elevated, likely SYSTEM-level, privileges. The issue was reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and no CISA KEV listing.
Local privilege escalation in the Windows Win32K kernel-mode subsystem allows an authenticated attacker to elevate to SYSTEM by exploiting a use-after-free (CWE-416) memory-corruption condition. The flaw affects a broad range of supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025). Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows DirectX graphics subsystem allows an authenticated attacker with low privileges to elevate to SYSTEM by triggering a use-after-free (CWE-416) memory-corruption condition. The flaw affects a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.0 (High), tempered by high attack complexity.
Local privilege escalation in the Windows Wireless Networking component affects a broad span of currently supported Windows releases (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019/2022/2025), letting an already-authenticated local user win a timing race to gain SYSTEM-level control. The flaw is a CWE-362 race condition where improperly synchronized access to a shared resource can be manipulated during a narrow execution window; CVSS 7.8 reflects a high-complexity but high-impact local escalation with a scope change. Microsoft (the reporter) has shipped a patch, and there is no public exploit identified at time of analysis.
Remote code execution in Windows Remote Desktop Services (RDS) allows an authenticated network attacker to run arbitrary code by triggering a use-after-free (CWE-416) memory corruption condition. The flaw affects a broad range of currently-supported Windows client and server builds - Windows 10 21H2/22H2, Windows 11 24H2/25H2/26H1, and Windows Server 2022/2025 (including Server Core). It was reported by Microsoft with a CVSS 8.8 rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network vector combined with only low-privilege requirements makes it a strong patch priority.
Local privilege escalation in Microsoft Windows Sensor Data Service arises from a use-after-free (CWE-416) memory corruption flaw that an already-authenticated attacker can trigger to run code at higher privilege. It affects a broad range of client and server builds (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025). Reported by Microsoft with a patch available; no public exploit identified at time of analysis, and the CVSS:3.1 score is 7.0 (High).
Local privilege escalation in the Windows Cloud Files Mini Filter Driver (cldflt.sys) lets an authenticated low-privileged user corrupt kernel memory to gain SYSTEM-level control. The flaw is a use-after-free (CWE-416) affecting a broad range of Windows client and server builds from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019-2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in the Microsoft Windows Remote Desktop (RDP) component allows an unauthenticated attacker to run arbitrary code by triggering an integer overflow, but only when a victim is convinced to interact (per CVSS UI:R) - most consistent with a malicious RDP server coercing a connecting client. The flaw affects a broad range of supported Windows client and server releases from Windows Server 2012/Windows 10 1607 through Windows 11 26H1 and Windows Server 2025. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; EPSS data was not provided.
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library allows an authenticated attacker to gain SYSTEM-level privileges by triggering a type-confusion (CWE-843) condition. The flaw affects a broad range of supported Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Reported internally by Microsoft with a vendor patch available; no public exploit identified at time of analysis.
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Print Driver allows an authorized attacker to elevate privileges with a physical attack.
Local code execution in Windows Media on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 lets an attacker run arbitrary code by luring a user into opening a maliciously crafted media file. The CVSS 3.1 base score is 7.8 with full confidentiality, integrity, and availability impact but requiring user interaction, and there is no public exploit identified at time of analysis. Microsoft has released a patch via MSRC.
Elevation of privilege in Microsoft Windows Management Services lets a low-privileged local user corrupt memory through a use-after-free (CWE-416) and gain higher privileges on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. A successful exploit yields high confidentiality, integrity, and availability impact, but the CVSS vector marks high attack complexity, reflecting the race-condition timing typically needed to win a use-after-free. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Improper access control in Windows Kernel allows an authorized attacker to bypass a security feature locally.
Heap-based buffer overflow in Universal Plug and Play (upnp.dll) allows an authorized attacker to elevate privileges locally.
Local privilege escalation in the Windows Cloud Files Mini Filter Driver (cldflt.sys) allows an authenticated low-privileged user to elevate to SYSTEM by triggering a use-after-free memory corruption condition. The flaw affects a broad range of Windows client and server releases (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019 through 2025) and was reported by Microsoft. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Microsoft Input Method Editor (IME) component shipped across Windows 10, Windows 11, and Windows Server 2016 through 2025 allows an authenticated, low-privileged user to corrupt heap memory and gain SYSTEM-level control. The flaw (CWE-122 heap-based buffer overflow) carries a scope-changing CVSS 3.1 score of 8.8, meaning successful exploitation escapes the caller's security boundary. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Microsoft's NAT Helper Components (ipnathlp.dll), the driver behind Internet Connection Sharing and NAT translation on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. An authenticated attacker who already has low-privilege access can exploit a use-after-free memory corruption bug to run code at higher privilege (SYSTEM). No public exploit identified at time of analysis, and it is not listed in CISA KEV, but Microsoft has released a patch.
Local privilege escalation in the Microsoft Windows Kernel allows an authenticated attacker to elevate to SYSTEM by triggering an integer overflow (CWE-190) in a kernel code path. The flaw affects a broad range of supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through Server 2025). Reported by Microsoft with a vendor patch available; no public exploit identified at time of analysis and no EPSS or KEV data supplied.
Elevation of privilege in the Windows SMB implementation allows an authenticated network attacker to win a race condition and gain higher privileges on affected systems, spanning Windows 10, Windows 11, and Windows Server 2012 through 2025. The flaw is a concurrency defect (CWE-362) reported by Microsoft with a vendor patch already released; there is no public exploit identified at time of analysis. Note a data conflict: the description and CVSS impacts describe privilege elevation with full confidentiality/integrity/availability impact, while the intelligence tags also label it 'Information Disclosure' — the CVSS vector should be treated as authoritative.
Local privilege escalation in Microsoft Windows Installer (msiexec/MSI service) lets an already-authenticated low-privilege user elevate to SYSTEM by abusing an improper authorization check (CWE-285). Affected platforms span Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025, including Server Core installations. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, so risk is currently potential rather than confirmed in-the-wild exploitation.
Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network.
Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.
Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.
Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.
Local privilege escalation in the Windows Bluetooth Service affects a broad range of Microsoft Windows client and server editions (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019 through 2025). A heap-based buffer overflow (CWE-122) lets an already-authenticated local attacker corrupt kernel/service memory to elevate from a low-privileged account to SYSTEM. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; a vendor patch is available from Microsoft.
Local code execution in Microsoft Windows' Resilient File System (ReFS) driver lets an attacker run arbitrary code by inducing a victim to mount or open a maliciously crafted ReFS volume. The flaw is a heap-based buffer overflow (CWE-122) in ReFS metadata parsing affecting Windows 10, Windows 11 (through 26H1), and Windows Server 2016-2025. CVSS is 7.8 (AV:L/UI:R); there is no public exploit identified at time of analysis and it is not in CISA KEV, so exploitation would require crafting a malicious volume and social-engineering the user to attach it.
Out-of-bounds read in Windows USB Audio Class driver (usbaudio.sys) allows an unauthorized attacker to disclose information with a physical attack.
Local privilege escalation in the Windows Runtime (WinRT) affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2022/2025, where a race condition in shared-resource handling lets an already-authenticated local user win a timing window to gain higher privileges. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and the CVSS base score is 7.8 (High). Note that Microsoft's tags label this as Information Disclosure while the description and CVSS impact metrics describe full privilege elevation - this discrepancy should be verified against the vendor advisory.
Information disclosure via uninitialized resource use in Windows Remote Desktop Protocol (RDP) exposes sensitive memory contents to authenticated remote attackers across a wide range of Microsoft Windows desktop and server editions. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms this is exploitable over the network by any low-privileged authenticated user with no complexity or interaction requirements, yielding high confidentiality impact. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low barrier to exploitation and the ubiquitous deployment of Windows RDP make this a meaningful patching priority.
Local privilege escalation in Microsoft Windows Routing and Remote Access Service (RRAS) allows an authenticated low-privileged attacker to elevate to SYSTEM by triggering a heap-based buffer overflow (CWE-122). The flaw affects a broad range of Windows client and server versions from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 R2 through Server 2025. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; a vendor patch is available.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) allows an authenticated low-privileged user to elevate to SYSTEM by triggering a use-after-free (CWE-416) in the kernel-mode driver. All actively serviced Windows client (10 1607 through 11 26H1) and Server (2012 through 2025) editions are affected, and Microsoft has released patches. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Remote code execution in Microsoft Windows Media Foundation allows an unauthenticated attacker to run arbitrary code by tricking a user into opening a maliciously crafted media file or stream. The flaw is a heap-based buffer overflow (CWE-122) affecting a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch is available via the Microsoft Security Response Center.
Elevation of privilege in the Windows Hyper-V virtual network switch (VMSwitch) lets an authenticated attacker operating from a guest partition corrupt kernel memory via a use-after-free and gain higher privileges, with a scope change (S:C) indicating a guest-to-host escape. Rated CVSS 9.9 and affecting a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through 2025, this issue was reported by Microsoft and has a vendor patch available. No public exploit is identified at time of analysis and it is not listed in CISA KEV.
Out-of-bounds read in Windows Print Spooler Components allows an authorized attacker to disclose information locally.
Remote code execution in the Windows SMB Server network transport driver (srvnet.sys) lets an unauthenticated network attacker win a use-after-free race to run arbitrary code, affecting Windows 10, Windows 11, and Windows Server 2012 through 2025. Per its CVSS vector the flaw requires user interaction and high attack complexity, so exploitation is non-trivial rather than a trivial wormable hit. This was reported by Microsoft, a vendor patch is available, and there is no public exploit identified at time of analysis.
Local privilege escalation in the Windows File History Service lets an authenticated, low-privileged attacker corrupt a stack buffer (CWE-121) to run code with elevated (SYSTEM-level) privileges on affected Windows client and server releases. The flaw spans a broad range of supported editions from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025, including Server Core installations. No public exploit was identified at time of analysis, and the CVE is not listed in CISA KEV.
Remote code execution in Microsoft Windows Media Foundation lets an unauthenticated attacker run arbitrary code in the victim's context by delivering a malicious media file or stream that the target opens or plays. The flaw affects the Media Foundation multimedia framework across supported Windows 10, Windows 11 (through 26H1), and Windows Server 2016-2025 builds, and carries CVSS 8.8. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS profile of confidentiality, integrity, and availability all rated High marks this as a high-priority client-side RCE.
Remote code execution in Microsoft Windows Media Foundation lets an unauthenticated network attacker run arbitrary code on the victim's machine when the target opens or renders a maliciously crafted media file or stream. The flaw is a heap-based buffer overflow (CWE-122) affecting a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Server 2016 through Server 2025. No public exploit identified at time of analysis, but the low complexity and network vector make it a high-priority patch item; exploitation requires user interaction (UI:R).
Exposure of sensitive information to an unauthorized actor in Windows Win32K allows an unauthorized attacker to elevate privileges locally.
Local privilege escalation in the Windows Network File System (NFS) component allows an authenticated attacker to elevate to SYSTEM by triggering a heap-based buffer overflow (CWE-122). Reported by Microsoft and affecting a broad range of Windows 10, Windows 11, and Windows Server 2012-2025 releases, with a vendor patch available via MSRC. No public exploit identified at time of analysis, and no CISA KEV listing.
Use of uninitialized resource in Windows File Explorer allows an unauthorized attacker to disclose information locally.
Use of uninitialized resource in Microsoft Windows Codecs Library allows an unauthorized attacker to disclose information locally.
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Network File System allows an unauthorized attacker to execute code over a network.
Elevation of privilege in the Windows Network File System (NFS) component affects a broad range of Microsoft platforms - Windows 10 (1607 through 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2012 through 2025 - where an authorized attacker can win a time-of-check/time-of-use (TOCTOU) race condition over the network to gain higher privileges. The CVSS 3.1 vector (AV:N/AC:H/PR:L) indicates a network-reachable but high-complexity flaw requiring low-level existing privileges, with full high impact to confidentiality, integrity and availability. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; a Microsoft (MSRC) patch is available.
Privilege escalation in the Windows Remote Access Service (RRAS) Infrastructure allows an authenticated attacker to elevate privileges over the network by triggering an integer overflow (CWE-190) in affected code paths. The flaw affects a broad range of Windows 10, Windows 11, and Windows Server releases (2012 R2 through 2025), and Microsoft has released a patch. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the network-reachable EoP profile with only low privileges required makes it a meaningful patch priority.
Privilege escalation via a heap-based buffer overflow in the Windows Network File System (NFS) role lets an authenticated, low-privileged network attacker send crafted requests to corrupt server heap memory and gain elevated privileges. Affected systems span Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025 wherever the Server for NFS role is present. No public exploit was identified at time of analysis and the flaw is not in CISA KEV, but the 8.8 CVSS with a network-reachable, low-complexity, no-user-interaction profile makes it a meaningful patch priority on NFS hosts.
Local code execution in Microsoft Windows Terminal (shipped on Windows 10 21H2/22H2, Windows 11 24H2/25H2/26H1, and Windows Server 2022/2025) arises from an integer overflow (CWE-190) that an unauthorized attacker can trigger, but only after luring a logged-on user into interacting with malicious content. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, so this is a defense-in-depth patch rather than an emergency, though the CVSS 7.8 reflects full confidentiality, integrity, and availability impact once triggered. Microsoft has released a patch via the MSRC update guide.
Local privilege escalation in the Microsoft Windows Kernel allows an authenticated attacker to elevate to SYSTEM by exploiting a use-after-free (CWE-416) memory corruption condition, spanning Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2016 through 2025. Reported by Microsoft with a CVSS 3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N), the flaw grants full confidentiality, integrity, and availability impact on the local system. No public exploit identified at time of analysis, and it is not listed in CISA KEV; a vendor patch is available.
Local privilege escalation in the Microsoft Windows Kernel (CWE-416 use-after-free) lets an already-authenticated low-privilege user corrupt kernel memory and gain SYSTEM-level control across a broad range of Windows 10, Windows 11, and Windows Server 2016 through 2025 builds. Microsoft self-reported the flaw and has shipped a patch through the Update Guide; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. With CVSS 7.8 (AV:L/PR:L) it is a classic Patch-Tuesday local EoP suitable as a second-stage primitive after initial access.
Local code execution in Microsoft Windows Media Foundation (CWE-122 heap-based buffer overflow) lets an unauthorized attacker run arbitrary code when a victim opens a maliciously crafted media file or content that the platform parses. It affects a broad range of Windows client and server builds from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in the Windows Server Network driver stems from a race condition (CWE-362) that lets an unauthorized attacker execute arbitrary code across a wide range of Microsoft Windows client and server builds, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation with full confidentiality, integrity, and availability impact, and an 'Authentication Bypass' tag suggests the flaw can also subvert access controls. There is no public exploit identified at time of analysis and no CISA KEV listing, but the network-facing, pre-authentication nature makes it a high-priority patch.
Information disclosure in Microsoft Windows Schannel (the Secure Channel TLS/SSL provider) lets an authenticated, network-adjacent attacker read memory beyond an allocated buffer and leak sensitive data across a network connection. The flaw spans nearly the entire supported Windows family - Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. Reported by Microsoft with a fix available; there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Local privilege escalation in the Windows MIDI Service Module affects Windows 11 versions 24H2, 25H2, and 26H1, where a use-after-free (CWE-416) memory corruption lets an already-authorized local user run code with elevated privileges. Microsoft rates it CVSS 7.0 and has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation is non-trivial due to high attack complexity and requires the attacker to already hold low-level local privileges.
Exposure of sensitive information to an unauthorized actor in Windows Win32K allows an authorized attacker to disclose information locally.
Remote code execution in Microsoft Windows Remote Desktop (RDP) allows an unauthorized network attacker to run arbitrary code by triggering the use of an uninitialized resource (CWE-908). All currently supported Windows client and server releases are affected, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. The CVSS 3.1 base score is 9.8 with a network, no-privileges, no-interaction vector; there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Local privilege escalation in the Windows MIDI Service Module affects Windows 11 versions 24H2, 25H2, and 26H1, where a use-after-free (CWE-416) memory-corruption flaw lets an already-authenticated local user elevate to higher privileges. Exploitation requires winning a race condition (high attack complexity), and Microsoft has released a fix; no public exploit identified at time of analysis. Rated CVSS 7.0 with full confidentiality, integrity, and availability impact once triggered.
Local privilege escalation in the Windows NTFS file system driver allows an authenticated low-privileged user to gain SYSTEM-level rights by triggering an integer overflow (CWE-190) during filesystem processing. It affects a broad range of supported Windows client and server releases, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch is available from Microsoft.
Local privilege escalation in the Windows NTFS driver lets an already-authenticated attacker corrupt heap memory to run code at a higher privilege level (typically SYSTEM) on affected Windows 10, Windows 11, and Windows Server builds. Microsoft reported the issue and has shipped a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. With CVSS 7.8 (AV:L/PR:L) it is a valuable post-compromise pivot rather than an initial-access bug.
Local privilege escalation in the Win32k GRFX subsystem across Windows 10, Windows 11, and Windows Server 2012 through 2025 lets an authenticated low-privileged local attacker elevate to SYSTEM by triggering an out-of-bounds read (CWE-125). The flaw was reported internally by Microsoft, a vendor patch is available via MSRC, and there is no public exploit identified at time of analysis. CVSS is 7.8 (High), reflecting a local vector with low complexity and low privileges required.
Local privilege elevation in the Windows WebView component affects a broad range of currently-supported Windows client and server builds (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019/2022/2025). By triggering a use-after-free (CWE-416) memory-corruption condition, an already-authenticated low-privilege attacker can execute code in a higher-privilege context, yielding full confidentiality, integrity, and availability impact on the local system. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Null pointer dereference in Windows SMB Server allows an authorized attacker to deny service over a network.
Local privilege escalation in Microsoft XML Core Services (MSXML) lets a low-privileged, authorized attacker on a Windows host reclaim a freed object (use-after-free, CWE-416) to run code at elevated privilege. It affects a broad Windows footprint spanning Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025, including Server Core installations. Microsoft reported the flaw, a patch is available, and there is no public exploit identified at time of analysis; CISA SSVC currently rates exploitation as none.
Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network.
Local code execution in the Windows DHCP Client service stems from a use-after-free (CWE-416) memory-corruption flaw affecting a broad range of Windows 10, Windows 11, and Windows Server releases (Server 2012 through Server 2025). Per the CVSS vector an unauthenticated attacker with local access can achieve high-impact code execution with no user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Microsoft has released a patch through the MSRC update guide.
Local privilege escalation in the Windows Desktop Window Manager (DWM) lets an already-authenticated, low-privileged attacker corrupt heap memory (CWE-122) to gain SYSTEM-level control across Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2016 through 2025. The CVSS 3.1 score of 8.8 reflects a scope change into a higher-integrity context with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; Microsoft has released a patch.
Uninitialized memory disclosure in the Windows SMB stack allows a locally authenticated attacker to read sensitive contents from uninitialized buffers, affecting Windows 10, Windows 11, and Windows Server 2012 through 2025. The flaw (CWE-908) resides in the SMB subsystem where a resource is consumed before being properly zeroed, leaking residual memory contents to a low-privileged local user. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog; SSVC assessment places exploitation at none with partial technical impact, making this a standard patch-cycle priority rather than an emergency response item.
Local privilege escalation in Windows Runtime (WinRT) across Windows 10, Windows 11, and Windows Server 2019 through 2025 allows an already-authenticated attacker to win a race condition and gain SYSTEM-level privileges. The flaw stems from concurrent access to a shared resource without proper synchronization, and full C:H/I:H/A:H impact indicates complete host compromise once triggered. Reported by Microsoft with a patch available; no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Local privilege escalation in the Windows Clipboard Server (Cliprdr/RDP clipboard virtual channel service) affects a broad range of Windows 10, Windows 11, and Windows Server builds (from 1809 through 11 26H1 and Server 2025). An authenticated local attacker who can trigger a use-after-free (CWE-416) in the service can corrupt memory to run code at elevated (SYSTEM-level) privilege. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; Microsoft has released a patch.
Remote code execution in Microsoft Windows OLE (Object Linking and Embedding) allows an unauthorized network attacker to run arbitrary code by triggering a type-confusion condition (CWE-843) in the OLE component. The flaw affects a broad range of client and server SKUs from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 R2 through Server 2025, and carries a CVSS 8.1 (High) rating. No privileges or authentication are required per the CVSS vector, though the high attack complexity (AC:H) means exploitation depends on winning a specific timing or memory-state condition; there is no public exploit identified at time of analysis and it is not on CISA KEV.
Local privilege escalation in the Windows Kernel lets an already-authenticated, low-privileged attacker on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 corrupt kernel memory via a use-after-free and gain SYSTEM-level control. The CVSS 3.1 score of 8.8 is elevated by a scope change (S:C), reflecting that kernel compromise crosses the boundary from user context to the OS itself. Microsoft has released a patch; no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Denial of service in Windows Active Directory allows an authenticated network attacker to crash or degrade the directory service via an out-of-bounds read (CWE-125). The flaw affects Active Directory across Windows 10 (21H2/22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2022/2025 including Server Core; there is no public exploit identified at time of analysis. Impact is primarily availability (A:H) with a minor confidentiality leak (C:L), and Microsoft has released a patch.
Exposure of sensitive information to an unauthorized actor in Windows Cryptographic Services allows an authorized attacker to disclose information locally.
Local privilege escalation in Microsoft's Windows Hyper-V hypervisor allows an already-authenticated, high-privileged attacker to corrupt heap memory (CWE-122) and elevate to higher privileges on the host. The scope-changed CVSS 3.1 vector (8.2) reflects that a successful exploit can breach the guest/host virtualization boundary, impacting confidentiality, integrity, and availability of the underlying host. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; a Microsoft patch is available.
Local privilege escalation in the Microsoft Windows Kernel allows an authenticated attacker to gain SYSTEM-level control by exploiting a use-after-free (CWE-416) memory corruption condition. The flaw affects a broad range of Windows client and server builds - from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025 - and was reported by Microsoft with a patch available. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.8 (AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).
Local privilege escalation in the Microsoft Windows Search Component affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a heap-based buffer overflow lets an already-authenticated local attacker corrupt memory and elevate to higher privileges (up to SYSTEM). The CVSS 3.1 score of 7.8 reflects local-only attack with low privileges required and no user interaction, yielding full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Windows Active Directory across a broad range of Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through 2025) allows an authenticated local attacker to elevate privileges by triggering an integer overflow (CWE-190). Successful exploitation yields high confidentiality, integrity, and availability impact, effectively enabling escalation to SYSTEM-level control on the affected host. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; Microsoft has issued a patch via MSRC.
Local privilege escalation in Microsoft Windows Media (a component shipping in Windows 11 versions 24H2, 25H2, and 26H1) lets an authenticated local attacker execute code at elevated privilege by triggering a use-after-free (CWE-416) memory-corruption condition. Reported by Microsoft with a vendor patch available, it carries CVSS 7.8 (High) and can yield full confidentiality, integrity, and availability compromise of the host. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Media component of Windows 11 (versions 24H2, 25H2, and 26H1) allows an already-authenticated local attacker to win a race condition and gain SYSTEM-level privileges. Rated CVSS 7.8 (High), the flaw stems from improper synchronization of a shared resource; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Microsoft has released a patch via the MSRC update guide.
Local privilege escalation in Microsoft's Windows USB Print Driver stems from a use-after-free (CWE-416) memory corruption flaw affecting Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. A low-privileged authenticated attacker who can execute code on the host and win a memory-timing race can corrupt kernel memory to gain higher (SYSTEM-level) privileges. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation is not currently observed in the wild.
Local privilege escalation in the Microsoft Windows Kernel lets an authenticated attacker gain elevated (SYSTEM-level) privileges by triggering a NULL pointer dereference (CWE-476) in kernel-mode code. The flaw affects a broad range of client and server builds from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Reported by Microsoft with a patch available; no public exploit identified at time of analysis.
Local privilege escalation in Microsoft Windows NTFS (New Technology File System) driver lets an already-authenticated low-privileged user corrupt kernel memory via a use-after-free (CWE-416) and elevate to SYSTEM. The flaw affects a broad Windows client and server matrix (Windows 10 1809 through Windows 11 26H1, Windows Server 2019/2022/2025). It has no public exploit identified at time of analysis and is not on CISA KEV, but as a Microsoft-reported, patched NTFS kernel bug it is a routine patch-priority item on standard Patch Tuesday cycles.
Local privilege escalation in the Microsoft Windows Kernel lets an already-authenticated attacker read memory outside allocated bounds (CWE-125) and leverage it to elevate to SYSTEM across a broad range of client and server builds (Windows 10 1809 through Windows 11 26H1, Windows Server 2019 through 2025). Microsoft rates it CVSS 8.8 with a changed scope, and a vendor patch is available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Telephony Service (TAPI) affects a broad range of Microsoft Windows client and server releases, from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. A local, low-privileged attacker who wins a race condition (CWE-362) in the service's handling of a shared resource can corrupt state and elevate to higher privileges, gaining full confidentiality, integrity, and availability impact on the host. There is no public exploit identified at time of analysis and it is not on CISA KEV; EPSS was not provided.
Privilege escalation via heap-based buffer overflow in the Windows NTFS filesystem driver affects a broad range of Windows 10, Windows 11, and Windows Server versions, requiring only physical access to the target device - no OS credentials needed. An attacker with hands-on access to the hardware can trigger a heap overflow in NTFS processing to gain elevated privileges, potentially achieving full system compromise (High C/I/A). No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog, but the combination of zero authentication requirements and critical-level impact makes it a realistic threat for physically accessible endpoints. A vendor-supplied patch is available via the Microsoft Security Response Center.
Elevation of privilege in the Windows NTFS file-system driver lets an already-authenticated local user escalate to SYSTEM by winning a race condition (CWE-362) in the way NTFS handles a shared resource without proper synchronization. All currently supported Windows client and server builds are affected, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. There is no public exploit identified at time of analysis, but Microsoft has released a patch and rates the impact as full loss of confidentiality, integrity, and availability once exploited.
Privilege escalation in the Windows Remote Access Connection Manager (RasMan) service lets an authenticated, low-privileged attacker corrupt memory over the network to gain higher privileges on affected Windows 10, 11, and Server systems. The flaw is a CWE-416 use-after-free carrying a CVSS 8.8 with high impact to confidentiality, integrity, and availability. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.
Local code execution in the Windows Media component of supported Windows 10, Windows 11, and Windows Server (2016 through 2025) releases lets an unauthorized attacker run arbitrary code when a victim opens a maliciously crafted media file. The flaw is a heap-based buffer overflow (CWE-122) reported by Microsoft with a vendor patch available; there is no public exploit identified at time of analysis. CVSS is 7.8 (High), driven by full confidentiality, integrity, and availability impact but gated by local vector and required user interaction.
Spoofing via origin validation error in the Windows Network Address Translation (NAT) component affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, including Server Core installations. An unauthenticated attacker positioned on an adjacent network segment can bypass origin/authentication checks (CWE-346) to impersonate a trusted source, with Microsoft rating scope-changed high impact to confidentiality, integrity, and availability (CVSS 8.3). No public exploit identified at time of analysis, though high attack complexity limits reliable exploitation.
Missing cryptographic step in Windows Boot Loader allows an authorized attacker to bypass a security feature locally.
Local privilege escalation in the Microsoft Windows Client-Side Caching (CSC) Service, driven by a use-after-free (CWE-416) memory-corruption flaw affecting Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. An authorized attacker who already holds low-level privileges (PR:L) on the host can trigger the freed-object reuse to gain elevated, likely SYSTEM-level, privileges. The issue was reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and no CISA KEV listing.
Local privilege escalation in the Windows Win32K kernel-mode subsystem allows an authenticated attacker to elevate to SYSTEM by exploiting a use-after-free (CWE-416) memory-corruption condition. The flaw affects a broad range of supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025). Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows DirectX graphics subsystem allows an authenticated attacker with low privileges to elevate to SYSTEM by triggering a use-after-free (CWE-416) memory-corruption condition. The flaw affects a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.0 (High), tempered by high attack complexity.
Local privilege escalation in the Windows Wireless Networking component affects a broad span of currently supported Windows releases (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019/2022/2025), letting an already-authenticated local user win a timing race to gain SYSTEM-level control. The flaw is a CWE-362 race condition where improperly synchronized access to a shared resource can be manipulated during a narrow execution window; CVSS 7.8 reflects a high-complexity but high-impact local escalation with a scope change. Microsoft (the reporter) has shipped a patch, and there is no public exploit identified at time of analysis.
Remote code execution in Windows Remote Desktop Services (RDS) allows an authenticated network attacker to run arbitrary code by triggering a use-after-free (CWE-416) memory corruption condition. The flaw affects a broad range of currently-supported Windows client and server builds - Windows 10 21H2/22H2, Windows 11 24H2/25H2/26H1, and Windows Server 2022/2025 (including Server Core). It was reported by Microsoft with a CVSS 8.8 rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network vector combined with only low-privilege requirements makes it a strong patch priority.
Local privilege escalation in Microsoft Windows Sensor Data Service arises from a use-after-free (CWE-416) memory corruption flaw that an already-authenticated attacker can trigger to run code at higher privilege. It affects a broad range of client and server builds (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025). Reported by Microsoft with a patch available; no public exploit identified at time of analysis, and the CVSS:3.1 score is 7.0 (High).
Local privilege escalation in the Windows Cloud Files Mini Filter Driver (cldflt.sys) lets an authenticated low-privileged user corrupt kernel memory to gain SYSTEM-level control. The flaw is a use-after-free (CWE-416) affecting a broad range of Windows client and server builds from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019-2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in the Microsoft Windows Remote Desktop (RDP) component allows an unauthenticated attacker to run arbitrary code by triggering an integer overflow, but only when a victim is convinced to interact (per CVSS UI:R) - most consistent with a malicious RDP server coercing a connecting client. The flaw affects a broad range of supported Windows client and server releases from Windows Server 2012/Windows 10 1607 through Windows 11 26H1 and Windows Server 2025. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; EPSS data was not provided.
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library allows an authenticated attacker to gain SYSTEM-level privileges by triggering a type-confusion (CWE-843) condition. The flaw affects a broad range of supported Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Reported internally by Microsoft with a vendor patch available; no public exploit identified at time of analysis.
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Print Driver allows an authorized attacker to elevate privileges with a physical attack.
Local code execution in Windows Media on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 lets an attacker run arbitrary code by luring a user into opening a maliciously crafted media file. The CVSS 3.1 base score is 7.8 with full confidentiality, integrity, and availability impact but requiring user interaction, and there is no public exploit identified at time of analysis. Microsoft has released a patch via MSRC.
Elevation of privilege in Microsoft Windows Management Services lets a low-privileged local user corrupt memory through a use-after-free (CWE-416) and gain higher privileges on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. A successful exploit yields high confidentiality, integrity, and availability impact, but the CVSS vector marks high attack complexity, reflecting the race-condition timing typically needed to win a use-after-free. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Improper access control in Windows Kernel allows an authorized attacker to bypass a security feature locally.
Heap-based buffer overflow in Universal Plug and Play (upnp.dll) allows an authorized attacker to elevate privileges locally.
Local privilege escalation in the Windows Cloud Files Mini Filter Driver (cldflt.sys) allows an authenticated low-privileged user to elevate to SYSTEM by triggering a use-after-free memory corruption condition. The flaw affects a broad range of Windows client and server releases (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019 through 2025) and was reported by Microsoft. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Microsoft Input Method Editor (IME) component shipped across Windows 10, Windows 11, and Windows Server 2016 through 2025 allows an authenticated, low-privileged user to corrupt heap memory and gain SYSTEM-level control. The flaw (CWE-122 heap-based buffer overflow) carries a scope-changing CVSS 3.1 score of 8.8, meaning successful exploitation escapes the caller's security boundary. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Microsoft's NAT Helper Components (ipnathlp.dll), the driver behind Internet Connection Sharing and NAT translation on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. An authenticated attacker who already has low-privilege access can exploit a use-after-free memory corruption bug to run code at higher privilege (SYSTEM). No public exploit identified at time of analysis, and it is not listed in CISA KEV, but Microsoft has released a patch.
Local privilege escalation in the Microsoft Windows Kernel allows an authenticated attacker to elevate to SYSTEM by triggering an integer overflow (CWE-190) in a kernel code path. The flaw affects a broad range of supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through Server 2025). Reported by Microsoft with a vendor patch available; no public exploit identified at time of analysis and no EPSS or KEV data supplied.
Elevation of privilege in the Windows SMB implementation allows an authenticated network attacker to win a race condition and gain higher privileges on affected systems, spanning Windows 10, Windows 11, and Windows Server 2012 through 2025. The flaw is a concurrency defect (CWE-362) reported by Microsoft with a vendor patch already released; there is no public exploit identified at time of analysis. Note a data conflict: the description and CVSS impacts describe privilege elevation with full confidentiality/integrity/availability impact, while the intelligence tags also label it 'Information Disclosure' — the CVSS vector should be treated as authoritative.
Local privilege escalation in Microsoft Windows Installer (msiexec/MSI service) lets an already-authenticated low-privilege user elevate to SYSTEM by abusing an improper authorization check (CWE-285). Affected platforms span Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025, including Server Core installations. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, so risk is currently potential rather than confirmed in-the-wild exploitation.
Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network.
Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.
Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.
Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.
Local privilege escalation in the Windows Bluetooth Service affects a broad range of Microsoft Windows client and server editions (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019 through 2025). A heap-based buffer overflow (CWE-122) lets an already-authenticated local attacker corrupt kernel/service memory to elevate from a low-privileged account to SYSTEM. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; a vendor patch is available from Microsoft.
Local code execution in Microsoft Windows' Resilient File System (ReFS) driver lets an attacker run arbitrary code by inducing a victim to mount or open a maliciously crafted ReFS volume. The flaw is a heap-based buffer overflow (CWE-122) in ReFS metadata parsing affecting Windows 10, Windows 11 (through 26H1), and Windows Server 2016-2025. CVSS is 7.8 (AV:L/UI:R); there is no public exploit identified at time of analysis and it is not in CISA KEV, so exploitation would require crafting a malicious volume and social-engineering the user to attach it.
Out-of-bounds read in Windows USB Audio Class driver (usbaudio.sys) allows an unauthorized attacker to disclose information with a physical attack.
Local privilege escalation in the Windows Runtime (WinRT) affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2022/2025, where a race condition in shared-resource handling lets an already-authenticated local user win a timing window to gain higher privileges. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and the CVSS base score is 7.8 (High). Note that Microsoft's tags label this as Information Disclosure while the description and CVSS impact metrics describe full privilege elevation - this discrepancy should be verified against the vendor advisory.
Information disclosure via uninitialized resource use in Windows Remote Desktop Protocol (RDP) exposes sensitive memory contents to authenticated remote attackers across a wide range of Microsoft Windows desktop and server editions. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms this is exploitable over the network by any low-privileged authenticated user with no complexity or interaction requirements, yielding high confidentiality impact. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low barrier to exploitation and the ubiquitous deployment of Windows RDP make this a meaningful patching priority.
Local privilege escalation in Microsoft Windows Routing and Remote Access Service (RRAS) allows an authenticated low-privileged attacker to elevate to SYSTEM by triggering a heap-based buffer overflow (CWE-122). The flaw affects a broad range of Windows client and server versions from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 R2 through Server 2025. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; a vendor patch is available.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) allows an authenticated low-privileged user to elevate to SYSTEM by triggering a use-after-free (CWE-416) in the kernel-mode driver. All actively serviced Windows client (10 1607 through 11 26H1) and Server (2012 through 2025) editions are affected, and Microsoft has released patches. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Remote code execution in Microsoft Windows Media Foundation allows an unauthenticated attacker to run arbitrary code by tricking a user into opening a maliciously crafted media file or stream. The flaw is a heap-based buffer overflow (CWE-122) affecting a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch is available via the Microsoft Security Response Center.
Elevation of privilege in the Windows Hyper-V virtual network switch (VMSwitch) lets an authenticated attacker operating from a guest partition corrupt kernel memory via a use-after-free and gain higher privileges, with a scope change (S:C) indicating a guest-to-host escape. Rated CVSS 9.9 and affecting a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through 2025, this issue was reported by Microsoft and has a vendor patch available. No public exploit is identified at time of analysis and it is not listed in CISA KEV.
Out-of-bounds read in Windows Print Spooler Components allows an authorized attacker to disclose information locally.
Remote code execution in the Windows SMB Server network transport driver (srvnet.sys) lets an unauthenticated network attacker win a use-after-free race to run arbitrary code, affecting Windows 10, Windows 11, and Windows Server 2012 through 2025. Per its CVSS vector the flaw requires user interaction and high attack complexity, so exploitation is non-trivial rather than a trivial wormable hit. This was reported by Microsoft, a vendor patch is available, and there is no public exploit identified at time of analysis.
Local privilege escalation in the Windows File History Service lets an authenticated, low-privileged attacker corrupt a stack buffer (CWE-121) to run code with elevated (SYSTEM-level) privileges on affected Windows client and server releases. The flaw spans a broad range of supported editions from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025, including Server Core installations. No public exploit was identified at time of analysis, and the CVE is not listed in CISA KEV.
Remote code execution in Microsoft Windows Media Foundation lets an unauthenticated attacker run arbitrary code in the victim's context by delivering a malicious media file or stream that the target opens or plays. The flaw affects the Media Foundation multimedia framework across supported Windows 10, Windows 11 (through 26H1), and Windows Server 2016-2025 builds, and carries CVSS 8.8. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS profile of confidentiality, integrity, and availability all rated High marks this as a high-priority client-side RCE.
Remote code execution in Microsoft Windows Media Foundation lets an unauthenticated network attacker run arbitrary code on the victim's machine when the target opens or renders a maliciously crafted media file or stream. The flaw is a heap-based buffer overflow (CWE-122) affecting a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Server 2016 through Server 2025. No public exploit identified at time of analysis, but the low complexity and network vector make it a high-priority patch item; exploitation requires user interaction (UI:R).
Exposure of sensitive information to an unauthorized actor in Windows Win32K allows an unauthorized attacker to elevate privileges locally.
Local privilege escalation in the Windows Network File System (NFS) component allows an authenticated attacker to elevate to SYSTEM by triggering a heap-based buffer overflow (CWE-122). Reported by Microsoft and affecting a broad range of Windows 10, Windows 11, and Windows Server 2012-2025 releases, with a vendor patch available via MSRC. No public exploit identified at time of analysis, and no CISA KEV listing.
Use of uninitialized resource in Windows File Explorer allows an unauthorized attacker to disclose information locally.
Use of uninitialized resource in Microsoft Windows Codecs Library allows an unauthorized attacker to disclose information locally.
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Network File System allows an unauthorized attacker to execute code over a network.
Elevation of privilege in the Windows Network File System (NFS) component affects a broad range of Microsoft platforms - Windows 10 (1607 through 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2012 through 2025 - where an authorized attacker can win a time-of-check/time-of-use (TOCTOU) race condition over the network to gain higher privileges. The CVSS 3.1 vector (AV:N/AC:H/PR:L) indicates a network-reachable but high-complexity flaw requiring low-level existing privileges, with full high impact to confidentiality, integrity and availability. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; a Microsoft (MSRC) patch is available.
Privilege escalation in the Windows Remote Access Service (RRAS) Infrastructure allows an authenticated attacker to elevate privileges over the network by triggering an integer overflow (CWE-190) in affected code paths. The flaw affects a broad range of Windows 10, Windows 11, and Windows Server releases (2012 R2 through 2025), and Microsoft has released a patch. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the network-reachable EoP profile with only low privileges required makes it a meaningful patch priority.
Privilege escalation via a heap-based buffer overflow in the Windows Network File System (NFS) role lets an authenticated, low-privileged network attacker send crafted requests to corrupt server heap memory and gain elevated privileges. Affected systems span Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025 wherever the Server for NFS role is present. No public exploit was identified at time of analysis and the flaw is not in CISA KEV, but the 8.8 CVSS with a network-reachable, low-complexity, no-user-interaction profile makes it a meaningful patch priority on NFS hosts.
Local code execution in Microsoft Windows Terminal (shipped on Windows 10 21H2/22H2, Windows 11 24H2/25H2/26H1, and Windows Server 2022/2025) arises from an integer overflow (CWE-190) that an unauthorized attacker can trigger, but only after luring a logged-on user into interacting with malicious content. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, so this is a defense-in-depth patch rather than an emergency, though the CVSS 7.8 reflects full confidentiality, integrity, and availability impact once triggered. Microsoft has released a patch via the MSRC update guide.
Local privilege escalation in the Microsoft Windows Kernel allows an authenticated attacker to elevate to SYSTEM by exploiting a use-after-free (CWE-416) memory corruption condition, spanning Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2016 through 2025. Reported by Microsoft with a CVSS 3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N), the flaw grants full confidentiality, integrity, and availability impact on the local system. No public exploit identified at time of analysis, and it is not listed in CISA KEV; a vendor patch is available.
Local privilege escalation in the Microsoft Windows Kernel (CWE-416 use-after-free) lets an already-authenticated low-privilege user corrupt kernel memory and gain SYSTEM-level control across a broad range of Windows 10, Windows 11, and Windows Server 2016 through 2025 builds. Microsoft self-reported the flaw and has shipped a patch through the Update Guide; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. With CVSS 7.8 (AV:L/PR:L) it is a classic Patch-Tuesday local EoP suitable as a second-stage primitive after initial access.
Local code execution in Microsoft Windows Media Foundation (CWE-122 heap-based buffer overflow) lets an unauthorized attacker run arbitrary code when a victim opens a maliciously crafted media file or content that the platform parses. It affects a broad range of Windows client and server builds from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in the Windows Server Network driver stems from a race condition (CWE-362) that lets an unauthorized attacker execute arbitrary code across a wide range of Microsoft Windows client and server builds, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation with full confidentiality, integrity, and availability impact, and an 'Authentication Bypass' tag suggests the flaw can also subvert access controls. There is no public exploit identified at time of analysis and no CISA KEV listing, but the network-facing, pre-authentication nature makes it a high-priority patch.
Information disclosure in Microsoft Windows Schannel (the Secure Channel TLS/SSL provider) lets an authenticated, network-adjacent attacker read memory beyond an allocated buffer and leak sensitive data across a network connection. The flaw spans nearly the entire supported Windows family - Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. Reported by Microsoft with a fix available; there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Local privilege escalation in the Windows MIDI Service Module affects Windows 11 versions 24H2, 25H2, and 26H1, where a use-after-free (CWE-416) memory corruption lets an already-authorized local user run code with elevated privileges. Microsoft rates it CVSS 7.0 and has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation is non-trivial due to high attack complexity and requires the attacker to already hold low-level local privileges.
Exposure of sensitive information to an unauthorized actor in Windows Win32K allows an authorized attacker to disclose information locally.
Remote code execution in Microsoft Windows Remote Desktop (RDP) allows an unauthorized network attacker to run arbitrary code by triggering the use of an uninitialized resource (CWE-908). All currently supported Windows client and server releases are affected, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. The CVSS 3.1 base score is 9.8 with a network, no-privileges, no-interaction vector; there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Local privilege escalation in the Windows MIDI Service Module affects Windows 11 versions 24H2, 25H2, and 26H1, where a use-after-free (CWE-416) memory-corruption flaw lets an already-authenticated local user elevate to higher privileges. Exploitation requires winning a race condition (high attack complexity), and Microsoft has released a fix; no public exploit identified at time of analysis. Rated CVSS 7.0 with full confidentiality, integrity, and availability impact once triggered.
Local privilege escalation in the Windows NTFS file system driver allows an authenticated low-privileged user to gain SYSTEM-level rights by triggering an integer overflow (CWE-190) during filesystem processing. It affects a broad range of supported Windows client and server releases, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch is available from Microsoft.
Local privilege escalation in the Windows NTFS driver lets an already-authenticated attacker corrupt heap memory to run code at a higher privilege level (typically SYSTEM) on affected Windows 10, Windows 11, and Windows Server builds. Microsoft reported the issue and has shipped a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. With CVSS 7.8 (AV:L/PR:L) it is a valuable post-compromise pivot rather than an initial-access bug.
Local privilege escalation in the Win32k GRFX subsystem across Windows 10, Windows 11, and Windows Server 2012 through 2025 lets an authenticated low-privileged local attacker elevate to SYSTEM by triggering an out-of-bounds read (CWE-125). The flaw was reported internally by Microsoft, a vendor patch is available via MSRC, and there is no public exploit identified at time of analysis. CVSS is 7.8 (High), reflecting a local vector with low complexity and low privileges required.
Local privilege elevation in the Windows WebView component affects a broad range of currently-supported Windows client and server builds (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019/2022/2025). By triggering a use-after-free (CWE-416) memory-corruption condition, an already-authenticated low-privilege attacker can execute code in a higher-privilege context, yielding full confidentiality, integrity, and availability impact on the local system. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Null pointer dereference in Windows SMB Server allows an authorized attacker to deny service over a network.
Local privilege escalation in Microsoft XML Core Services (MSXML) lets a low-privileged, authorized attacker on a Windows host reclaim a freed object (use-after-free, CWE-416) to run code at elevated privilege. It affects a broad Windows footprint spanning Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025, including Server Core installations. Microsoft reported the flaw, a patch is available, and there is no public exploit identified at time of analysis; CISA SSVC currently rates exploitation as none.
Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network.
Local code execution in the Windows DHCP Client service stems from a use-after-free (CWE-416) memory-corruption flaw affecting a broad range of Windows 10, Windows 11, and Windows Server releases (Server 2012 through Server 2025). Per the CVSS vector an unauthenticated attacker with local access can achieve high-impact code execution with no user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Microsoft has released a patch through the MSRC update guide.
Local privilege escalation in the Windows Desktop Window Manager (DWM) lets an already-authenticated, low-privileged attacker corrupt heap memory (CWE-122) to gain SYSTEM-level control across Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2016 through 2025. The CVSS 3.1 score of 8.8 reflects a scope change into a higher-integrity context with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; Microsoft has released a patch.
Uninitialized memory disclosure in the Windows SMB stack allows a locally authenticated attacker to read sensitive contents from uninitialized buffers, affecting Windows 10, Windows 11, and Windows Server 2012 through 2025. The flaw (CWE-908) resides in the SMB subsystem where a resource is consumed before being properly zeroed, leaking residual memory contents to a low-privileged local user. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog; SSVC assessment places exploitation at none with partial technical impact, making this a standard patch-cycle priority rather than an emergency response item.
Local privilege escalation in Windows Runtime (WinRT) across Windows 10, Windows 11, and Windows Server 2019 through 2025 allows an already-authenticated attacker to win a race condition and gain SYSTEM-level privileges. The flaw stems from concurrent access to a shared resource without proper synchronization, and full C:H/I:H/A:H impact indicates complete host compromise once triggered. Reported by Microsoft with a patch available; no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Local privilege escalation in the Windows Clipboard Server (Cliprdr/RDP clipboard virtual channel service) affects a broad range of Windows 10, Windows 11, and Windows Server builds (from 1809 through 11 26H1 and Server 2025). An authenticated local attacker who can trigger a use-after-free (CWE-416) in the service can corrupt memory to run code at elevated (SYSTEM-level) privilege. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; Microsoft has released a patch.
Remote code execution in Microsoft Windows OLE (Object Linking and Embedding) allows an unauthorized network attacker to run arbitrary code by triggering a type-confusion condition (CWE-843) in the OLE component. The flaw affects a broad range of client and server SKUs from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 R2 through Server 2025, and carries a CVSS 8.1 (High) rating. No privileges or authentication are required per the CVSS vector, though the high attack complexity (AC:H) means exploitation depends on winning a specific timing or memory-state condition; there is no public exploit identified at time of analysis and it is not on CISA KEV.
Local privilege escalation in the Windows Kernel lets an already-authenticated, low-privileged attacker on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 corrupt kernel memory via a use-after-free and gain SYSTEM-level control. The CVSS 3.1 score of 8.8 is elevated by a scope change (S:C), reflecting that kernel compromise crosses the boundary from user context to the OS itself. Microsoft has released a patch; no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Denial of service in Windows Active Directory allows an authenticated network attacker to crash or degrade the directory service via an out-of-bounds read (CWE-125). The flaw affects Active Directory across Windows 10 (21H2/22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2022/2025 including Server Core; there is no public exploit identified at time of analysis. Impact is primarily availability (A:H) with a minor confidentiality leak (C:L), and Microsoft has released a patch.
Exposure of sensitive information to an unauthorized actor in Windows Cryptographic Services allows an authorized attacker to disclose information locally.
Local privilege escalation in Microsoft's Windows Hyper-V hypervisor allows an already-authenticated, high-privileged attacker to corrupt heap memory (CWE-122) and elevate to higher privileges on the host. The scope-changed CVSS 3.1 vector (8.2) reflects that a successful exploit can breach the guest/host virtualization boundary, impacting confidentiality, integrity, and availability of the underlying host. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; a Microsoft patch is available.
Local privilege escalation in the Microsoft Windows Kernel allows an authenticated attacker to gain SYSTEM-level control by exploiting a use-after-free (CWE-416) memory corruption condition. The flaw affects a broad range of Windows client and server builds - from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025 - and was reported by Microsoft with a patch available. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.8 (AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).
Local privilege escalation in the Microsoft Windows Search Component affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a heap-based buffer overflow lets an already-authenticated local attacker corrupt memory and elevate to higher privileges (up to SYSTEM). The CVSS 3.1 score of 7.8 reflects local-only attack with low privileges required and no user interaction, yielding full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Windows Active Directory across a broad range of Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through 2025) allows an authenticated local attacker to elevate privileges by triggering an integer overflow (CWE-190). Successful exploitation yields high confidentiality, integrity, and availability impact, effectively enabling escalation to SYSTEM-level control on the affected host. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; Microsoft has issued a patch via MSRC.
Local privilege escalation in Microsoft Windows Media (a component shipping in Windows 11 versions 24H2, 25H2, and 26H1) lets an authenticated local attacker execute code at elevated privilege by triggering a use-after-free (CWE-416) memory-corruption condition. Reported by Microsoft with a vendor patch available, it carries CVSS 7.8 (High) and can yield full confidentiality, integrity, and availability compromise of the host. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Media component of Windows 11 (versions 24H2, 25H2, and 26H1) allows an already-authenticated local attacker to win a race condition and gain SYSTEM-level privileges. Rated CVSS 7.8 (High), the flaw stems from improper synchronization of a shared resource; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Microsoft has released a patch via the MSRC update guide.
Local privilege escalation in Microsoft's Windows USB Print Driver stems from a use-after-free (CWE-416) memory corruption flaw affecting Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. A low-privileged authenticated attacker who can execute code on the host and win a memory-timing race can corrupt kernel memory to gain higher (SYSTEM-level) privileges. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation is not currently observed in the wild.
Local privilege escalation in the Microsoft Windows Kernel lets an authenticated attacker gain elevated (SYSTEM-level) privileges by triggering a NULL pointer dereference (CWE-476) in kernel-mode code. The flaw affects a broad range of client and server builds from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Reported by Microsoft with a patch available; no public exploit identified at time of analysis.
Local privilege escalation in Microsoft Windows NTFS (New Technology File System) driver lets an already-authenticated low-privileged user corrupt kernel memory via a use-after-free (CWE-416) and elevate to SYSTEM. The flaw affects a broad Windows client and server matrix (Windows 10 1809 through Windows 11 26H1, Windows Server 2019/2022/2025). It has no public exploit identified at time of analysis and is not on CISA KEV, but as a Microsoft-reported, patched NTFS kernel bug it is a routine patch-priority item on standard Patch Tuesday cycles.
Local privilege escalation in the Microsoft Windows Kernel lets an already-authenticated attacker read memory outside allocated bounds (CWE-125) and leverage it to elevate to SYSTEM across a broad range of client and server builds (Windows 10 1809 through Windows 11 26H1, Windows Server 2019 through 2025). Microsoft rates it CVSS 8.8 with a changed scope, and a vendor patch is available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Telephony Service (TAPI) affects a broad range of Microsoft Windows client and server releases, from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. A local, low-privileged attacker who wins a race condition (CWE-362) in the service's handling of a shared resource can corrupt state and elevate to higher privileges, gaining full confidentiality, integrity, and availability impact on the host. There is no public exploit identified at time of analysis and it is not on CISA KEV; EPSS was not provided.
Privilege escalation via heap-based buffer overflow in the Windows NTFS filesystem driver affects a broad range of Windows 10, Windows 11, and Windows Server versions, requiring only physical access to the target device - no OS credentials needed. An attacker with hands-on access to the hardware can trigger a heap overflow in NTFS processing to gain elevated privileges, potentially achieving full system compromise (High C/I/A). No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog, but the combination of zero authentication requirements and critical-level impact makes it a realistic threat for physically accessible endpoints. A vendor-supplied patch is available via the Microsoft Security Response Center.
Elevation of privilege in the Windows NTFS file-system driver lets an already-authenticated local user escalate to SYSTEM by winning a race condition (CWE-362) in the way NTFS handles a shared resource without proper synchronization. All currently supported Windows client and server builds are affected, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. There is no public exploit identified at time of analysis, but Microsoft has released a patch and rates the impact as full loss of confidentiality, integrity, and availability once exploited.
Privilege escalation in the Windows Remote Access Connection Manager (RasMan) service lets an authenticated, low-privileged attacker corrupt memory over the network to gain higher privileges on affected Windows 10, 11, and Server systems. The flaw is a CWE-416 use-after-free carrying a CVSS 8.8 with high impact to confidentiality, integrity, and availability. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.
Local code execution in the Windows Media component of supported Windows 10, Windows 11, and Windows Server (2016 through 2025) releases lets an unauthorized attacker run arbitrary code when a victim opens a maliciously crafted media file. The flaw is a heap-based buffer overflow (CWE-122) reported by Microsoft with a vendor patch available; there is no public exploit identified at time of analysis. CVSS is 7.8 (High), driven by full confidentiality, integrity, and availability impact but gated by local vector and required user interaction.