Windows Server 2022
Monthly
Network-based privilege elevation in the Windows Runtime (WinRT) affects a broad range of Microsoft platforms including Windows 10 (1809 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2019/2022/2025. An unauthorized attacker who wins a timing race in the improperly synchronized shared-resource handling can gain elevated privileges, with the vulnerability carrying an implicit authentication-bypass characteristic per vendor tags. No public exploit has been identified at time of analysis, and the high attack complexity (AC:H) reflects the need to reliably win a race window.
Local privilege escalation in the Windows Kernel (CVE-2026-50390) lets an already-authenticated attacker abuse a type-confusion condition to run code with elevated (SYSTEM-level) privileges on affected Windows client and server builds ranging from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. Microsoft has shipped a fix and there is no public exploit identified at time of analysis, but as a kernel EoP it is a classic second-stage building block for turning a foothold into full host compromise. CVSS is 7.0 (High), reflecting high attack complexity but full confidentiality, integrity, and availability impact once triggered.
Out-of-bounds read in Windows Kernel allows an authorized attacker to elevate privileges locally.
Local code execution in Microsoft's Resilient File System (ReFS) driver lets an already-authenticated, low-privileged user on affected Windows 10, Windows 11, and Windows Server 2016–2025 systems escalate to code execution through a numeric truncation flaw (CWE-197). No public exploit has been identified at time of analysis, and it is not on CISA KEV, but Microsoft has released a patch. Note a data conflict: the description states code execution and the CVSS carries C:H/I:H/A:H, yet the vendor tags label it 'Information Disclosure' — the CVSS-backed local elevation-of-privilege reading is treated as authoritative here.
Denial-of-service (and possible privilege-elevation) heap-based buffer overflow in the Microsoft Windows Remote Desktop Client is reachable over the network, with Microsoft's CVSS vector recording only an availability impact (A:H) despite the description's 'elevate privileges' wording. A patch is available from Microsoft (MSRC update guide), the flaw was reported by Microsoft itself, and there is no public exploit identified at time of analysis. Affected platforms span the full supported Windows client and server line, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025.
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
Loop with unreachable exit condition ('infinite loop') in Active Directory Federation Services (AD FS) allows an unauthorized attacker to deny service over a network.
Integer overflow or wraparound in Windows Devices Human Interface allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows Push Notifications allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows Push Notifications allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows Push Notifications allows an authorized attacker to disclose information locally.
Local privilege escalation in the Microsoft Windows USB Driver (kernel-mode) lets an already-authenticated low-privileged user win a race condition (CWE-362) to elevate to SYSTEM. The flaw spans a broad Windows fleet from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit identified at time of analysis, and it is not listed in CISA KEV; a vendor patch is available from Microsoft.
Local code execution in Microsoft Windows arises from a heap-based buffer overflow in a Windows Data DLL, letting an attacker who can get a victim to open crafted content run arbitrary code with the victim's privileges. Affected builds span Windows 10 (1607 through 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2012 through 2025. Microsoft (the reporter) has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in the Microsoft Windows DHCP Server role allows an unauthenticated, adjacent-network attacker to run arbitrary code by triggering a heap-based buffer overflow (CWE-122) in DHCP message parsing. Affected systems span Windows Server 2012 through Windows Server 2025 (including Server Core installations) plus the DHCP service on Windows 10 versions 1607 and 1809, with full confidentiality, integrity, and availability impact. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation in the Microsoft Install Service (Windows Installer) affects supported Windows 10, Windows 11, and Windows Server 2019-2025 builds, letting an already-authenticated local user with limited rights (PR:L) elevate to SYSTEM. The flaw stems from improper privilege management (CWE-269) in how the service handles operations, yielding full confidentiality, integrity, and availability impact. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows Application Model (the subsystem underlying UWP/packaged app lifecycle and activation) lets an authorized attacker with an existing low-privileged foothold gain SYSTEM-level control by triggering a use-after-free memory-corruption condition. All supported Windows client and server builds from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through Server 2025 are affected. This is a Microsoft-reported flaw with a vendor patch available; there is no public exploit identified at time of analysis and it is not on CISA KEV.
Local privilege escalation in the Microsoft Windows Resilient File System (ReFS) driver allows an authenticated attacker to run code with SYSTEM-level privileges by triggering a heap-based buffer overflow. The flaw (CVSS 7.8) affects a broad range of Windows 10, Windows 11, and Windows Server 2016-2025 builds and carries high confidentiality, integrity, and availability impact. It is a Microsoft-reported issue with a vendor patch available, and there is no public exploit identified at time of analysis.
Buffer over-read in Windows NTFS allows an authorized attacker to disclose information locally.
Remote code execution in Microsoft Windows GDI+ (gdiplus) lets an unauthenticated network attacker run arbitrary code when a victim opens or renders a specially crafted image, via a heap-based buffer overflow (CWE-122). The flaw affects a broad range of supported Windows client and server builds (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through 2025). It carries a critical CVSS 9.6 with a scope-changed impact, but requires user interaction and currently has no public exploit identified at time of analysis.
Local code execution in Microsoft Windows NTFS driver (heap-based buffer overflow, CWE-122) allows an attacker to run arbitrary code with the privileges of the exploited context. The flaw affects a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. CVSS 7.8 with high confidentiality, integrity, and availability impact; exploitation requires local access and user interaction, and there is no public exploit identified at time of analysis.
Local privilege escalation in Microsoft Windows TCP/IP stack allows an authenticated attacker to elevate to SYSTEM by exploiting a use-after-free (CWE-416) memory corruption flaw. Affected builds span Windows 10 (1809, 21H2, 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2019/2022/2025 including Server Core. No public exploit identified at time of analysis; Microsoft has released a patch, and the CVSS 7.0 score reflects high attack complexity (likely a race condition) that raises the exploitation bar.
Remote denial of service in Microsoft Active Directory Federation Services (ADFS) allows an unauthenticated network attacker to crash the service via a stack-based buffer overflow (CWE-121). The flaw affects the ADFS role across Windows Server 2012 through 2025 (and the underlying Windows 10 1607/1809 servicing components), carries a CVSS 7.5 availability-only score, and was reported by Microsoft with a patch available. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally.
Local code execution in Microsoft Windows NTFS arises from a heap-based buffer overflow (CWE-122) that an authorized, low-privileged local user can trigger to run arbitrary code and elevate to SYSTEM. The flaw spans a broad Windows footprint from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit identified at time of analysis, and the CVSS 3.1 base score is 7.8 (High).
Local privilege escalation in Windows App Installer (the MSIX/AppX package deployment component, msixbundle/App Installer) lets an already-authenticated low-privileged user overflow a stack buffer to gain higher privileges on affected Windows 10, Windows 11, and Windows Server builds. Microsoft self-reported the flaw and has shipped a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 7.8 (AV:L/PR:L) rating reflects a locally-launched attack with high confidentiality, integrity, and availability impact.
Local code execution in the Windows NTFS file system driver lets an unauthorized attacker run arbitrary code by tricking a user into interacting with specially crafted content, per Microsoft's MSRC advisory. The flaw is a heap-based buffer overflow (CWE-122) affecting a broad range of Windows releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit is identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and full-CIA impact make it a meaningful local code-execution risk.
Local privilege escalation in the Windows Notification component lets an already-authenticated low-privileged user elevate to higher privileges (SYSTEM) across a broad range of Windows 10, Windows 11, and Windows Server releases. The flaw stems from an incorrect type conversion/cast (CWE-704) and carries a CVSS 7.8 (AV:L/AC:L/PR:L/UI:N) with high confidentiality, integrity, and availability impact. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows NTFS file-system driver allows an authenticated attacker to run code with elevated (SYSTEM-level) privileges by triggering a stack-based buffer overflow (CWE-121). The flaw was reported by Microsoft and affects a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.8 (High).
Privilege escalation in Microsoft Windows SMB Server allows an already-authenticated network attacker to elevate to higher privileges by abusing a flawed authentication algorithm, yielding high confidentiality, integrity, and availability impact. The flaw affects Windows 10 (21H2/22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2022/2025 including Server Core. Reported by Microsoft with a patch available; no public exploit identified at time of analysis.
Local privilege elevation in the Microsoft Windows TCP/IP networking stack lets an already-authenticated, low-privileged user corrupt kernel memory via a use-after-free (CWE-416) and gain SYSTEM-level control. The flaw affects a broad range of client and server SKUs from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025, including Server Core installations. Microsoft reported the issue and has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Denial of service in Microsoft Windows Server Update Services (WSUS) lets a remote, unauthenticated attacker crash or disrupt the update service by triggering an uncaught exception over the network. The flaw affects WSUS across Windows Server 2012 through 2025 (plus Windows 10 1607/1809 servicing components), and the CVSS 3.1 availability-only vector (A:H) indicates service unavailability rather than data compromise. No public exploit identified at time of analysis, but a vendor patch is available and the flaw is network-reachable without authentication.
Denial of service in Microsoft Active Directory Federation Services (AD FS) lets a remote, unauthenticated attacker crash the service by triggering a stack-based buffer overflow (CWE-121) over the network. Because AD FS commonly fronts single sign-on for Microsoft 365, SaaS, and internal web applications, a successful crash can knock out federated authentication for an entire organization. No public exploit identified at time of analysis, and the flaw is availability-only — confidentiality and integrity are not impacted per the CVSS vector.
Local privilege escalation in the Windows Push Notifications component (WNS/WpnService) lets an already-authenticated low-privileged user overwrite adjacent heap memory to gain SYSTEM-level control across Windows 10 (1607-22H2), Windows 11 (24H2-26H1), and Windows Server 2012 R2 through 2025. Microsoft reported the flaw and has shipped a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The high CVSS 7.8 reflects full confidentiality, integrity, and availability impact once triggered, but exploitation requires prior local access.
Local privilege escalation in the Microsoft Windows Kernel allows an already-authenticated attacker to gain SYSTEM-level control by exploiting a use-after-free (CWE-416) memory corruption condition. The flaw affects a broad range of supported Windows client and server releases (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019 through 2025) and, per the CVSS 7.8 vector, yields full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; Microsoft has released a patch.
Local privilege escalation in the Windows Redirected Drive Buffering Subsystem (RDBSS) lets an authenticated low-privileged attacker read memory beyond an allocated buffer to elevate to higher privileges. The flaw affects a broad range of currently-supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, Windows Server 2012 through Server 2025) and carries a CVSS 7.0 (High) rating. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation in the Windows Kernel lets a low-privileged, authenticated attacker gain SYSTEM-level control by triggering a heap-based buffer overflow (CWE-122). The flaw spans a broad platform range from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025, and was reported internally by Microsoft. No public exploit is identified at time of analysis and it is not in CISA KEV, but the ubiquity of the affected component plus full high impact on confidentiality, integrity, and availability make it a meaningful patch priority.
Improper certificate validation in Windows Cryptographic Services allows an unauthorized attacker to bypass a security feature over a network.
Use of a cryptographic primitive with a risky implementation in Windows Key Guard allows an authorized attacker to bypass a security feature locally.
Integer underflow in the Windows Kernel enables a locally authenticated attacker to disclose sensitive kernel memory contents across a broad range of Windows 10, Windows 11, and Windows Server platforms. The CVSS vector (AV:L/AC:L/PR:L/UI:N) confirms that any low-privilege local user can trigger the flaw without special configuration or user interaction, yielding high confidentiality impact with no integrity or availability consequences. Microsoft has released a patch via the July 2026 Security Update Guide; no public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Access of resource using incompatible type ('type confusion') in Composite Image File System Driver allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Clip Service (clipboard/cloud clipboard component, cbdhsvc) affects a broad range of Windows 10, Windows 11, and Windows Server 2019-2025 builds, where a race condition in concurrent access to a shared resource lets an already-authenticated local attacker win a timing window to gain higher privileges. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Note a source conflict: the description and CWE describe privilege elevation with high confidentiality/integrity/availability impact, while the intelligence tags label it 'Information Disclosure' - treat the primary impact as local EoP per the CVSS vector.
Local privilege escalation in the Microsoft Windows App Store (AppX/package deployment component) allows an authorized, low-privileged user to win a race condition and gain higher privileges on affected Windows client and server builds spanning Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Exploitation requires local access and already-held low privileges, and the high attack complexity reflects the timing precision needed to win the race. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a patch.
Privilege escalation in the Windows Win32K kernel-mode subsystem lets an already-authenticated local user gain SYSTEM-level control across a broad range of Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through Server 2025). Rooted in improper access control (CWE-284), successful exploitation yields full confidentiality, integrity, and availability impact on the host. There is no public exploit identified at time of analysis and the CVSS vector's high attack complexity (AC:H) tempers the practical risk.
Local privilege escalation in the Windows Win32K kernel-mode subsystem allows an already-authenticated, low-privileged user to elevate to SYSTEM through improper access control (CWE-284). Affected builds span Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. No public exploit identified at time of analysis, and it is not listed in CISA KEV; Microsoft has released a patch.
Local privilege escalation in the Microsoft Windows Graphics Kernel component allows a low-privileged local user to elevate to SYSTEM by exploiting a use-after-free (CWE-416) memory corruption condition. The flaw affects a broad range of Windows 10, Windows 11, and Windows Server releases, was reported by Microsoft, and has a vendor-released patch available. No public exploit is identified at time of analysis and it is not listed in CISA KEV; the high attack complexity (AC:H) makes reliable exploitation non-trivial.
Local privilege escalation in the Windows Kernel lets an already-authenticated, low-privileged user corrupt kernel memory via a use-after-free (CWE-416) and gain higher privileges on the host. The flaw affects a broad range of currently-supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025); Microsoft has shipped a fix. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Insertion of sensitive information into log file in Windows Kernel allows an authorized attacker to disclose information locally.
Integer overflow or wraparound in Windows Spaceport.sys allows an unauthorized attacker to elevate privileges with a physical attack.
Exposure of sensitive information to an unauthorized actor in Windows DirectX allows an unauthorized attacker to disclose information locally.
Local privilege escalation in the Windows Audio Compression Manager (ACM) allows a low-privileged authenticated user to elevate to higher privileges (CVSS 7.8, CWE-284 improper access control). It affects a broad Windows fleet spanning Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Microsoft Windows Resilient File System (ReFS) allows an authenticated low-privileged user to gain elevated (SYSTEM-level) privileges by triggering a stack-based buffer overflow (CWE-121) in the ReFS driver. The flaw affects a broad range of Windows client and server releases, from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows AppX Deployment Service (AppXSvc) lets an already-authenticated, low-privileged user win a race condition to elevate to higher privileges across a broad range of Windows client and server builds (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through 2025). The flaw stems from improper synchronization of a shared resource, and successful exploitation yields full confidentiality, integrity, and availability impact on the host. It is reported by Microsoft with a vendor patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Win32K kernel-mode subsystem allows an already-authenticated low-privileged user to elevate to SYSTEM through an improper access-control flaw. The issue affects a broad range of Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Use of uninitialized resource in Windows SMB allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Spaceport.sys Storage Spaces driver lets an already-authenticated low-privileged user gain SYSTEM-level control across Windows 10, Windows 11, and Windows Server 2016 through 2025. The flaw stems from a missing authentication check on a critical driver function (CWE-306), and Microsoft has released a patch; no public exploit has been identified at time of analysis. With CVSS 7.8 (local, low-privilege) and full confidentiality, integrity, and availability impact, it is a strong candidate for chaining after an initial foothold.
Exposure of sensitive system information to an unauthorized control sphere in Windows Kernel allows an unauthorized attacker to disclose information locally.
Heap-based buffer overflow in Windows USB Video Driver allows an unauthorized attacker to elevate privileges with a physical attack.
Elevation of privilege in Microsoft Windows (Server 2012 through 2025 and Windows 10/11 clients) lets a low-privileged local user gain SYSTEM-level rights by abusing an improper access control (CWE-284) weakness. The flaw was reported by Microsoft with a patch available, and CVSS 3.1 rates it 7.8 (High) with local vector and low privileges required. No public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a patch-worthy but not emergency issue absent evidence of active exploitation.
Local code execution in the Microsoft Windows NTFS file-system driver lets an attacker run arbitrary code by inducing a victim to interact with a specially crafted NTFS artifact (e.g., a malicious volume, VHD, or file). The flaw stems from an integer underflow (CWE-191) and spans a broad range of Windows client and server builds from Windows Server 2012 through Windows Server 2025 and Windows 10/11. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Uncontrolled resource consumption in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to deny service over a network.
Local privilege escalation in the Windows Web Proxy Auto-Discovery Protocol (WPAD) component lets an already-authenticated local user run code with SYSTEM-level rights by triggering an integer overflow (CWE-190). The flaw affects a broad range of Windows client and server builds, from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and high triad impact make it a meaningful patch-tier issue.
Integer overflow or wraparound in Windows Storage Spaces Direct allows an unauthorized attacker to execute code with a physical attack.
Local privilege escalation in the Microsoft Windows Kernel allows an unauthorized attacker to gain elevated (SYSTEM-level) privileges by triggering a use-after-free condition (CWE-416) in kernel memory. The flaw affects a broad range of supported Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local code execution in the Windows NTFS driver (CVE-2026-49797) allows an attacker with local access to run arbitrary code by tricking a user into interacting with a maliciously crafted NTFS artifact, exploiting a heap-based buffer overflow (CWE-122). The flaw affects a broad range of Windows client and server releases from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. Microsoft has released a patch; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Kernel lets an already-authenticated attacker corrupt kernel memory via a use-after-free (CWE-416) and gain full control of the host. The CVSS 3.1 vector (AV:L/PR:L, scope-changed with C:H/I:H/A:H) reflects a low-privileged local user escalating to SYSTEM-level compromise across a broad range of Windows 10, Windows 11, and Windows Server builds. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a patch.
Local code execution in Windows GDI+ (the Graphics Device Interface Plus rendering component) affects a broad range of Microsoft Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. An attacker who convinces a user to open or preview a specially crafted image or document triggers a heap-based buffer overflow (CWE-122) during graphics parsing, yielding arbitrary code execution in the context of the current user. The CVSS 3.1 base score is 7.8 (AV:L/AC:L/PR:N/UI:R); there is no public exploit identified at time of analysis and it is not listed in CISA KEV, but GDI+ image-parsing flaws are historically attractive to attackers.
Out-of-bounds read in Windows USB Audio Class driver (usbaudio.sys) allows an unauthorized attacker to disclose information with a physical attack.
Local privilege escalation via arbitrary code execution in Microsoft Windows Resilient File System (ReFS) affects a broad range of Windows 10, Windows 11, and Windows Server (2016-2025) builds. An authorized (low-privileged) attacker who can trigger the vulnerable heap allocation path can corrupt heap memory (CWE-122) to run code in the security context of the ReFS driver, yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list.
Local code execution in Microsoft's Resilient File System (ReFS) driver allows an authorized (low-privileged) attacker to run arbitrary code with elevated context via a numeric truncation flaw. The bug affects the ReFS component shipped with Windows 10, Windows 11, and Windows Server 2016 through 2025. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; note that the CVE's own tags label it 'Information Disclosure' while the description and CVSS impact (C:H/I:H/A:H) describe full code execution - the code-execution reading should be treated as authoritative.
Local privilege escalation in Microsoft Windows Routing and Remote Access Service (RRAS) allows an already-authenticated low-privileged user to abuse a link-following (symlink/junction) flaw to gain higher privileges on the host. The bug affects a broad range of client and server SKUs from Windows Server 2012 through Windows Server 2025 and Windows 10 1607 through Windows 11 26H1, and Microsoft has shipped a fix. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Elevation of privilege in the Windows Universal Disk Format File System driver (UDFS.sys) lets a low-privileged local user gain elevated (kernel/SYSTEM) rights after the victim mounts or opens a maliciously crafted UDF volume. The flaw stems from an integer arithmetic error (CWE-191) in the driver that parses UDF-formatted media such as ISO images, optical discs, and virtual disk files, and affects a broad range of Windows client and server releases from Windows Server 2012 and Windows 10 1607 through Windows 11 26H1 and Windows Server 2025. Microsoft reported the issue and has shipped a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Microsoft Windows NTFS driver allows an already-authenticated, low-privileged user to gain elevated (likely SYSTEM) privileges by triggering a stack-based buffer overflow, contingent on user interaction. The flaw spans a broad range of supported Windows client and server releases, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. Microsoft has issued a patch and reported the issue itself; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Denial of service in the Windows HTTP/2 network stack allows a remote, unauthenticated attacker to exhaust server resources and render affected services unavailable across a broad range of Windows client and server releases (Windows 10/11 and Windows Server 2016 through 2025). Reported by Microsoft with a vendor patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The 7.5 CVSS reflects high availability impact with no confidentiality or integrity loss.
Denial of service in Microsoft Windows HTTP.sys allows remote unauthenticated attackers to exhaust system resources and make affected hosts unresponsive over the network. The flaw stems from missing resource limits/throttling (CWE-770) in the kernel-mode HTTP protocol stack, affecting a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch is available via MSRC.
Security feature bypass in Windows Secure Boot (CWE-358) allows a locally authenticated attacker on affected Windows 10, Windows 11, and Windows Server (2016 through 2025) systems to defeat the boot-integrity trust chain due to an improperly implemented standard security check. Because Secure Boot is the gate that blocks unsigned/tampered bootloaders and rootkits, a successful bypass can enable pre-OS persistence and undermine downstream protections such as BitLocker and Measured Boot. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV; Microsoft has published a patch via its update guide.
Local privilege escalation in the Windows Clipboard Server (Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025) allows an already-authenticated low-privileged user to win a race condition and gain higher privileges on the host. Microsoft credits its own researchers and has shipped a fix; there is no public exploit identified at time of analysis and the CVSS base score is 7.0 (High). The high attack complexity reflects the timing precision needed to exploit the race, which meaningfully limits reliable weaponization.
Local code execution in Microsoft Windows NTFS (New Technology File System) stems from a heap-based buffer overflow (CWE-122) that lets a local attacker run arbitrary code with high confidentiality, integrity, and availability impact. The flaw affects a broad range of Windows client and server builds - from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025 - and Microsoft has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but NTFS's role as the default Windows filesystem makes the exposed surface extremely wide.
Information disclosure (and vendor-labeled privilege elevation) in the Windows DHCP Client affects Windows 10 (1607/1809), Windows Server 2012 through 2025, and their Server Core installations via an integer underflow (CWE-191) reachable over the network. A remote attacker positioned to answer DHCP traffic can craft malformed responses that wrap a length/counter calculation, with a CVSS 3.1 base of 7.5 (confidentiality impact only per the published vector). No public exploit is identified at time of analysis and it is not listed in CISA KEV, but Microsoft ships a patch.
Improper link resolution before file access ('link following') in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally.
Remote code execution in Microsoft Active Directory Domain Services (AD DS) allows an authenticated network attacker to run arbitrary code on domain controllers by triggering a heap-based buffer overflow (CWE-122). Affected platforms span Windows Server 2012 through 2025 (including Server Core) and Windows 10/11 clients acting in AD roles, with Microsoft-issued patches available. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the CVSS 8.8 rating and the sensitivity of the domain-controller attack surface make this a high-priority patch.
Remote code execution in the Microsoft Windows DHCP Server role allows an authenticated network attacker (PR:L) to trigger a heap-based buffer overflow and run arbitrary code on the server. The flaw affects DHCP Server across Windows Server 2012 through Server 2025 (including Server Core installations) and carries a CVSS 8.8 with full confidentiality, integrity, and availability impact. Reported by Microsoft with a vendor patch available; no public exploit identified at time of analysis.
Denial of service in the Windows Local Security Authority Subsystem Service (LSASS) allows a remote, unauthenticated attacker to crash the service and disrupt authentication across all supported Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. The flaw stems from an excessive-size memory allocation (CWE-789) triggerable over the network with no privileges or user interaction, and while a vendor patch is available, there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is limited to availability (A:H) with no confidentiality or integrity loss, but LSASS failure can force system instability or reboots, affecting domain authentication and logon.
Windows Cryptographic Services across a broad range of Windows 10, Windows 11, and Windows Server versions fails to release allocated memory after its effective lifetime (CWE-401), enabling a remote unauthenticated attacker to cause a denial-of-service condition over the network. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no elevated privileges against default configurations. Microsoft has released a patch via MSRC advisory CVE-2026-44806; no public exploit or CISA KEV listing has been identified at time of analysis.
Windows Event Logging Service across a wide range of Windows 10, Windows 11, and Windows Server versions fails to enforce its intended protection mechanisms, permitting any authenticated low-privileged network user to read information that should be access-controlled. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms exploitation requires only a valid low-privilege account and network connectivity, with no user interaction and no elevated rights - making it a practical post-compromise lateral-movement or reconnaissance tool. No public exploit code has been identified and this CVE is not listed in CISA KEV at time of analysis, but the ubiquitous deployment footprint across the Windows ecosystem elevates organizational exposure.
Remote code execution in Windows PowerShell allows an authenticated attacker with low privileges to run arbitrary code across a network by exploiting a relative path traversal (CWE-23) flaw, provided a victim is induced to interact (UI:R). Affecting supported Windows 10/11 clients and Windows Server 2012 through 2025, the issue carries a CVSS 8.0 with full confidentiality, integrity, and availability impact, and a vendor patch is available via MSRC. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
Use of uninitialized resource in Windows File Explorer allows an authorized attacker to disclose information locally.
Windows Audio Service on multiple Windows desktop and server versions improperly exposes sensitive information to locally authenticated standard users, enabling information disclosure without requiring elevated privileges. Affecting Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 (with Server 2022 and 2025 referenced in tags), the flaw is exploitable post-foothold by any low-privileged local account, making it a realistic post-exploitation pivot rather than an initial access vector. No public exploit code has been identified at time of analysis, and a vendor-released patch is confirmed available via the Microsoft Security Response Center.
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
Local code execution in Microsoft Windows NTFS driver allows an authenticated attacker to run arbitrary code by triggering a heap-based buffer overflow (CWE-122) after inducing user interaction. The flaw affects a broad range of Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. It was reported by Microsoft, a vendor patch is available, and there is no public exploit identified at time of analysis.
Network-based privilege elevation in the Windows Runtime (WinRT) affects a broad range of Microsoft platforms including Windows 10 (1809 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2019/2022/2025. An unauthorized attacker who wins a timing race in the improperly synchronized shared-resource handling can gain elevated privileges, with the vulnerability carrying an implicit authentication-bypass characteristic per vendor tags. No public exploit has been identified at time of analysis, and the high attack complexity (AC:H) reflects the need to reliably win a race window.
Local privilege escalation in the Windows Kernel (CVE-2026-50390) lets an already-authenticated attacker abuse a type-confusion condition to run code with elevated (SYSTEM-level) privileges on affected Windows client and server builds ranging from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. Microsoft has shipped a fix and there is no public exploit identified at time of analysis, but as a kernel EoP it is a classic second-stage building block for turning a foothold into full host compromise. CVSS is 7.0 (High), reflecting high attack complexity but full confidentiality, integrity, and availability impact once triggered.
Out-of-bounds read in Windows Kernel allows an authorized attacker to elevate privileges locally.
Local code execution in Microsoft's Resilient File System (ReFS) driver lets an already-authenticated, low-privileged user on affected Windows 10, Windows 11, and Windows Server 2016–2025 systems escalate to code execution through a numeric truncation flaw (CWE-197). No public exploit has been identified at time of analysis, and it is not on CISA KEV, but Microsoft has released a patch. Note a data conflict: the description states code execution and the CVSS carries C:H/I:H/A:H, yet the vendor tags label it 'Information Disclosure' — the CVSS-backed local elevation-of-privilege reading is treated as authoritative here.
Denial-of-service (and possible privilege-elevation) heap-based buffer overflow in the Microsoft Windows Remote Desktop Client is reachable over the network, with Microsoft's CVSS vector recording only an availability impact (A:H) despite the description's 'elevate privileges' wording. A patch is available from Microsoft (MSRC update guide), the flaw was reported by Microsoft itself, and there is no public exploit identified at time of analysis. Affected platforms span the full supported Windows client and server line, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025.
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
Loop with unreachable exit condition ('infinite loop') in Active Directory Federation Services (AD FS) allows an unauthorized attacker to deny service over a network.
Integer overflow or wraparound in Windows Devices Human Interface allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows Push Notifications allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows Push Notifications allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows Push Notifications allows an authorized attacker to disclose information locally.
Local privilege escalation in the Microsoft Windows USB Driver (kernel-mode) lets an already-authenticated low-privileged user win a race condition (CWE-362) to elevate to SYSTEM. The flaw spans a broad Windows fleet from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit identified at time of analysis, and it is not listed in CISA KEV; a vendor patch is available from Microsoft.
Local code execution in Microsoft Windows arises from a heap-based buffer overflow in a Windows Data DLL, letting an attacker who can get a victim to open crafted content run arbitrary code with the victim's privileges. Affected builds span Windows 10 (1607 through 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2012 through 2025. Microsoft (the reporter) has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in the Microsoft Windows DHCP Server role allows an unauthenticated, adjacent-network attacker to run arbitrary code by triggering a heap-based buffer overflow (CWE-122) in DHCP message parsing. Affected systems span Windows Server 2012 through Windows Server 2025 (including Server Core installations) plus the DHCP service on Windows 10 versions 1607 and 1809, with full confidentiality, integrity, and availability impact. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation in the Microsoft Install Service (Windows Installer) affects supported Windows 10, Windows 11, and Windows Server 2019-2025 builds, letting an already-authenticated local user with limited rights (PR:L) elevate to SYSTEM. The flaw stems from improper privilege management (CWE-269) in how the service handles operations, yielding full confidentiality, integrity, and availability impact. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows Application Model (the subsystem underlying UWP/packaged app lifecycle and activation) lets an authorized attacker with an existing low-privileged foothold gain SYSTEM-level control by triggering a use-after-free memory-corruption condition. All supported Windows client and server builds from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through Server 2025 are affected. This is a Microsoft-reported flaw with a vendor patch available; there is no public exploit identified at time of analysis and it is not on CISA KEV.
Local privilege escalation in the Microsoft Windows Resilient File System (ReFS) driver allows an authenticated attacker to run code with SYSTEM-level privileges by triggering a heap-based buffer overflow. The flaw (CVSS 7.8) affects a broad range of Windows 10, Windows 11, and Windows Server 2016-2025 builds and carries high confidentiality, integrity, and availability impact. It is a Microsoft-reported issue with a vendor patch available, and there is no public exploit identified at time of analysis.
Buffer over-read in Windows NTFS allows an authorized attacker to disclose information locally.
Remote code execution in Microsoft Windows GDI+ (gdiplus) lets an unauthenticated network attacker run arbitrary code when a victim opens or renders a specially crafted image, via a heap-based buffer overflow (CWE-122). The flaw affects a broad range of supported Windows client and server builds (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through 2025). It carries a critical CVSS 9.6 with a scope-changed impact, but requires user interaction and currently has no public exploit identified at time of analysis.
Local code execution in Microsoft Windows NTFS driver (heap-based buffer overflow, CWE-122) allows an attacker to run arbitrary code with the privileges of the exploited context. The flaw affects a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. CVSS 7.8 with high confidentiality, integrity, and availability impact; exploitation requires local access and user interaction, and there is no public exploit identified at time of analysis.
Local privilege escalation in Microsoft Windows TCP/IP stack allows an authenticated attacker to elevate to SYSTEM by exploiting a use-after-free (CWE-416) memory corruption flaw. Affected builds span Windows 10 (1809, 21H2, 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2019/2022/2025 including Server Core. No public exploit identified at time of analysis; Microsoft has released a patch, and the CVSS 7.0 score reflects high attack complexity (likely a race condition) that raises the exploitation bar.
Remote denial of service in Microsoft Active Directory Federation Services (ADFS) allows an unauthenticated network attacker to crash the service via a stack-based buffer overflow (CWE-121). The flaw affects the ADFS role across Windows Server 2012 through 2025 (and the underlying Windows 10 1607/1809 servicing components), carries a CVSS 7.5 availability-only score, and was reported by Microsoft with a patch available. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally.
Local code execution in Microsoft Windows NTFS arises from a heap-based buffer overflow (CWE-122) that an authorized, low-privileged local user can trigger to run arbitrary code and elevate to SYSTEM. The flaw spans a broad Windows footprint from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit identified at time of analysis, and the CVSS 3.1 base score is 7.8 (High).
Local privilege escalation in Windows App Installer (the MSIX/AppX package deployment component, msixbundle/App Installer) lets an already-authenticated low-privileged user overflow a stack buffer to gain higher privileges on affected Windows 10, Windows 11, and Windows Server builds. Microsoft self-reported the flaw and has shipped a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 7.8 (AV:L/PR:L) rating reflects a locally-launched attack with high confidentiality, integrity, and availability impact.
Local code execution in the Windows NTFS file system driver lets an unauthorized attacker run arbitrary code by tricking a user into interacting with specially crafted content, per Microsoft's MSRC advisory. The flaw is a heap-based buffer overflow (CWE-122) affecting a broad range of Windows releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit is identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and full-CIA impact make it a meaningful local code-execution risk.
Local privilege escalation in the Windows Notification component lets an already-authenticated low-privileged user elevate to higher privileges (SYSTEM) across a broad range of Windows 10, Windows 11, and Windows Server releases. The flaw stems from an incorrect type conversion/cast (CWE-704) and carries a CVSS 7.8 (AV:L/AC:L/PR:L/UI:N) with high confidentiality, integrity, and availability impact. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows NTFS file-system driver allows an authenticated attacker to run code with elevated (SYSTEM-level) privileges by triggering a stack-based buffer overflow (CWE-121). The flaw was reported by Microsoft and affects a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.8 (High).
Privilege escalation in Microsoft Windows SMB Server allows an already-authenticated network attacker to elevate to higher privileges by abusing a flawed authentication algorithm, yielding high confidentiality, integrity, and availability impact. The flaw affects Windows 10 (21H2/22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2022/2025 including Server Core. Reported by Microsoft with a patch available; no public exploit identified at time of analysis.
Local privilege elevation in the Microsoft Windows TCP/IP networking stack lets an already-authenticated, low-privileged user corrupt kernel memory via a use-after-free (CWE-416) and gain SYSTEM-level control. The flaw affects a broad range of client and server SKUs from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025, including Server Core installations. Microsoft reported the issue and has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Denial of service in Microsoft Windows Server Update Services (WSUS) lets a remote, unauthenticated attacker crash or disrupt the update service by triggering an uncaught exception over the network. The flaw affects WSUS across Windows Server 2012 through 2025 (plus Windows 10 1607/1809 servicing components), and the CVSS 3.1 availability-only vector (A:H) indicates service unavailability rather than data compromise. No public exploit identified at time of analysis, but a vendor patch is available and the flaw is network-reachable without authentication.
Denial of service in Microsoft Active Directory Federation Services (AD FS) lets a remote, unauthenticated attacker crash the service by triggering a stack-based buffer overflow (CWE-121) over the network. Because AD FS commonly fronts single sign-on for Microsoft 365, SaaS, and internal web applications, a successful crash can knock out federated authentication for an entire organization. No public exploit identified at time of analysis, and the flaw is availability-only — confidentiality and integrity are not impacted per the CVSS vector.
Local privilege escalation in the Windows Push Notifications component (WNS/WpnService) lets an already-authenticated low-privileged user overwrite adjacent heap memory to gain SYSTEM-level control across Windows 10 (1607-22H2), Windows 11 (24H2-26H1), and Windows Server 2012 R2 through 2025. Microsoft reported the flaw and has shipped a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The high CVSS 7.8 reflects full confidentiality, integrity, and availability impact once triggered, but exploitation requires prior local access.
Local privilege escalation in the Microsoft Windows Kernel allows an already-authenticated attacker to gain SYSTEM-level control by exploiting a use-after-free (CWE-416) memory corruption condition. The flaw affects a broad range of supported Windows client and server releases (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019 through 2025) and, per the CVSS 7.8 vector, yields full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; Microsoft has released a patch.
Local privilege escalation in the Windows Redirected Drive Buffering Subsystem (RDBSS) lets an authenticated low-privileged attacker read memory beyond an allocated buffer to elevate to higher privileges. The flaw affects a broad range of currently-supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, Windows Server 2012 through Server 2025) and carries a CVSS 7.0 (High) rating. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation in the Windows Kernel lets a low-privileged, authenticated attacker gain SYSTEM-level control by triggering a heap-based buffer overflow (CWE-122). The flaw spans a broad platform range from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025, and was reported internally by Microsoft. No public exploit is identified at time of analysis and it is not in CISA KEV, but the ubiquity of the affected component plus full high impact on confidentiality, integrity, and availability make it a meaningful patch priority.
Improper certificate validation in Windows Cryptographic Services allows an unauthorized attacker to bypass a security feature over a network.
Use of a cryptographic primitive with a risky implementation in Windows Key Guard allows an authorized attacker to bypass a security feature locally.
Integer underflow in the Windows Kernel enables a locally authenticated attacker to disclose sensitive kernel memory contents across a broad range of Windows 10, Windows 11, and Windows Server platforms. The CVSS vector (AV:L/AC:L/PR:L/UI:N) confirms that any low-privilege local user can trigger the flaw without special configuration or user interaction, yielding high confidentiality impact with no integrity or availability consequences. Microsoft has released a patch via the July 2026 Security Update Guide; no public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Access of resource using incompatible type ('type confusion') in Composite Image File System Driver allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Clip Service (clipboard/cloud clipboard component, cbdhsvc) affects a broad range of Windows 10, Windows 11, and Windows Server 2019-2025 builds, where a race condition in concurrent access to a shared resource lets an already-authenticated local attacker win a timing window to gain higher privileges. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Note a source conflict: the description and CWE describe privilege elevation with high confidentiality/integrity/availability impact, while the intelligence tags label it 'Information Disclosure' - treat the primary impact as local EoP per the CVSS vector.
Local privilege escalation in the Microsoft Windows App Store (AppX/package deployment component) allows an authorized, low-privileged user to win a race condition and gain higher privileges on affected Windows client and server builds spanning Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Exploitation requires local access and already-held low privileges, and the high attack complexity reflects the timing precision needed to win the race. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a patch.
Privilege escalation in the Windows Win32K kernel-mode subsystem lets an already-authenticated local user gain SYSTEM-level control across a broad range of Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through Server 2025). Rooted in improper access control (CWE-284), successful exploitation yields full confidentiality, integrity, and availability impact on the host. There is no public exploit identified at time of analysis and the CVSS vector's high attack complexity (AC:H) tempers the practical risk.
Local privilege escalation in the Windows Win32K kernel-mode subsystem allows an already-authenticated, low-privileged user to elevate to SYSTEM through improper access control (CWE-284). Affected builds span Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. No public exploit identified at time of analysis, and it is not listed in CISA KEV; Microsoft has released a patch.
Local privilege escalation in the Microsoft Windows Graphics Kernel component allows a low-privileged local user to elevate to SYSTEM by exploiting a use-after-free (CWE-416) memory corruption condition. The flaw affects a broad range of Windows 10, Windows 11, and Windows Server releases, was reported by Microsoft, and has a vendor-released patch available. No public exploit is identified at time of analysis and it is not listed in CISA KEV; the high attack complexity (AC:H) makes reliable exploitation non-trivial.
Local privilege escalation in the Windows Kernel lets an already-authenticated, low-privileged user corrupt kernel memory via a use-after-free (CWE-416) and gain higher privileges on the host. The flaw affects a broad range of currently-supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025); Microsoft has shipped a fix. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Insertion of sensitive information into log file in Windows Kernel allows an authorized attacker to disclose information locally.
Integer overflow or wraparound in Windows Spaceport.sys allows an unauthorized attacker to elevate privileges with a physical attack.
Exposure of sensitive information to an unauthorized actor in Windows DirectX allows an unauthorized attacker to disclose information locally.
Local privilege escalation in the Windows Audio Compression Manager (ACM) allows a low-privileged authenticated user to elevate to higher privileges (CVSS 7.8, CWE-284 improper access control). It affects a broad Windows fleet spanning Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Microsoft Windows Resilient File System (ReFS) allows an authenticated low-privileged user to gain elevated (SYSTEM-level) privileges by triggering a stack-based buffer overflow (CWE-121) in the ReFS driver. The flaw affects a broad range of Windows client and server releases, from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows AppX Deployment Service (AppXSvc) lets an already-authenticated, low-privileged user win a race condition to elevate to higher privileges across a broad range of Windows client and server builds (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through 2025). The flaw stems from improper synchronization of a shared resource, and successful exploitation yields full confidentiality, integrity, and availability impact on the host. It is reported by Microsoft with a vendor patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Win32K kernel-mode subsystem allows an already-authenticated low-privileged user to elevate to SYSTEM through an improper access-control flaw. The issue affects a broad range of Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Use of uninitialized resource in Windows SMB allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Spaceport.sys Storage Spaces driver lets an already-authenticated low-privileged user gain SYSTEM-level control across Windows 10, Windows 11, and Windows Server 2016 through 2025. The flaw stems from a missing authentication check on a critical driver function (CWE-306), and Microsoft has released a patch; no public exploit has been identified at time of analysis. With CVSS 7.8 (local, low-privilege) and full confidentiality, integrity, and availability impact, it is a strong candidate for chaining after an initial foothold.
Exposure of sensitive system information to an unauthorized control sphere in Windows Kernel allows an unauthorized attacker to disclose information locally.
Heap-based buffer overflow in Windows USB Video Driver allows an unauthorized attacker to elevate privileges with a physical attack.
Elevation of privilege in Microsoft Windows (Server 2012 through 2025 and Windows 10/11 clients) lets a low-privileged local user gain SYSTEM-level rights by abusing an improper access control (CWE-284) weakness. The flaw was reported by Microsoft with a patch available, and CVSS 3.1 rates it 7.8 (High) with local vector and low privileges required. No public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a patch-worthy but not emergency issue absent evidence of active exploitation.
Local code execution in the Microsoft Windows NTFS file-system driver lets an attacker run arbitrary code by inducing a victim to interact with a specially crafted NTFS artifact (e.g., a malicious volume, VHD, or file). The flaw stems from an integer underflow (CWE-191) and spans a broad range of Windows client and server builds from Windows Server 2012 through Windows Server 2025 and Windows 10/11. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Uncontrolled resource consumption in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to deny service over a network.
Local privilege escalation in the Windows Web Proxy Auto-Discovery Protocol (WPAD) component lets an already-authenticated local user run code with SYSTEM-level rights by triggering an integer overflow (CWE-190). The flaw affects a broad range of Windows client and server builds, from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and high triad impact make it a meaningful patch-tier issue.
Integer overflow or wraparound in Windows Storage Spaces Direct allows an unauthorized attacker to execute code with a physical attack.
Local privilege escalation in the Microsoft Windows Kernel allows an unauthorized attacker to gain elevated (SYSTEM-level) privileges by triggering a use-after-free condition (CWE-416) in kernel memory. The flaw affects a broad range of supported Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local code execution in the Windows NTFS driver (CVE-2026-49797) allows an attacker with local access to run arbitrary code by tricking a user into interacting with a maliciously crafted NTFS artifact, exploiting a heap-based buffer overflow (CWE-122). The flaw affects a broad range of Windows client and server releases from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. Microsoft has released a patch; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Kernel lets an already-authenticated attacker corrupt kernel memory via a use-after-free (CWE-416) and gain full control of the host. The CVSS 3.1 vector (AV:L/PR:L, scope-changed with C:H/I:H/A:H) reflects a low-privileged local user escalating to SYSTEM-level compromise across a broad range of Windows 10, Windows 11, and Windows Server builds. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a patch.
Local code execution in Windows GDI+ (the Graphics Device Interface Plus rendering component) affects a broad range of Microsoft Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. An attacker who convinces a user to open or preview a specially crafted image or document triggers a heap-based buffer overflow (CWE-122) during graphics parsing, yielding arbitrary code execution in the context of the current user. The CVSS 3.1 base score is 7.8 (AV:L/AC:L/PR:N/UI:R); there is no public exploit identified at time of analysis and it is not listed in CISA KEV, but GDI+ image-parsing flaws are historically attractive to attackers.
Out-of-bounds read in Windows USB Audio Class driver (usbaudio.sys) allows an unauthorized attacker to disclose information with a physical attack.
Local privilege escalation via arbitrary code execution in Microsoft Windows Resilient File System (ReFS) affects a broad range of Windows 10, Windows 11, and Windows Server (2016-2025) builds. An authorized (low-privileged) attacker who can trigger the vulnerable heap allocation path can corrupt heap memory (CWE-122) to run code in the security context of the ReFS driver, yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list.
Local code execution in Microsoft's Resilient File System (ReFS) driver allows an authorized (low-privileged) attacker to run arbitrary code with elevated context via a numeric truncation flaw. The bug affects the ReFS component shipped with Windows 10, Windows 11, and Windows Server 2016 through 2025. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; note that the CVE's own tags label it 'Information Disclosure' while the description and CVSS impact (C:H/I:H/A:H) describe full code execution - the code-execution reading should be treated as authoritative.
Local privilege escalation in Microsoft Windows Routing and Remote Access Service (RRAS) allows an already-authenticated low-privileged user to abuse a link-following (symlink/junction) flaw to gain higher privileges on the host. The bug affects a broad range of client and server SKUs from Windows Server 2012 through Windows Server 2025 and Windows 10 1607 through Windows 11 26H1, and Microsoft has shipped a fix. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Elevation of privilege in the Windows Universal Disk Format File System driver (UDFS.sys) lets a low-privileged local user gain elevated (kernel/SYSTEM) rights after the victim mounts or opens a maliciously crafted UDF volume. The flaw stems from an integer arithmetic error (CWE-191) in the driver that parses UDF-formatted media such as ISO images, optical discs, and virtual disk files, and affects a broad range of Windows client and server releases from Windows Server 2012 and Windows 10 1607 through Windows 11 26H1 and Windows Server 2025. Microsoft reported the issue and has shipped a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Microsoft Windows NTFS driver allows an already-authenticated, low-privileged user to gain elevated (likely SYSTEM) privileges by triggering a stack-based buffer overflow, contingent on user interaction. The flaw spans a broad range of supported Windows client and server releases, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. Microsoft has issued a patch and reported the issue itself; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Denial of service in the Windows HTTP/2 network stack allows a remote, unauthenticated attacker to exhaust server resources and render affected services unavailable across a broad range of Windows client and server releases (Windows 10/11 and Windows Server 2016 through 2025). Reported by Microsoft with a vendor patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The 7.5 CVSS reflects high availability impact with no confidentiality or integrity loss.
Denial of service in Microsoft Windows HTTP.sys allows remote unauthenticated attackers to exhaust system resources and make affected hosts unresponsive over the network. The flaw stems from missing resource limits/throttling (CWE-770) in the kernel-mode HTTP protocol stack, affecting a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch is available via MSRC.
Security feature bypass in Windows Secure Boot (CWE-358) allows a locally authenticated attacker on affected Windows 10, Windows 11, and Windows Server (2016 through 2025) systems to defeat the boot-integrity trust chain due to an improperly implemented standard security check. Because Secure Boot is the gate that blocks unsigned/tampered bootloaders and rootkits, a successful bypass can enable pre-OS persistence and undermine downstream protections such as BitLocker and Measured Boot. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV; Microsoft has published a patch via its update guide.
Local privilege escalation in the Windows Clipboard Server (Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025) allows an already-authenticated low-privileged user to win a race condition and gain higher privileges on the host. Microsoft credits its own researchers and has shipped a fix; there is no public exploit identified at time of analysis and the CVSS base score is 7.0 (High). The high attack complexity reflects the timing precision needed to exploit the race, which meaningfully limits reliable weaponization.
Local code execution in Microsoft Windows NTFS (New Technology File System) stems from a heap-based buffer overflow (CWE-122) that lets a local attacker run arbitrary code with high confidentiality, integrity, and availability impact. The flaw affects a broad range of Windows client and server builds - from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025 - and Microsoft has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but NTFS's role as the default Windows filesystem makes the exposed surface extremely wide.
Information disclosure (and vendor-labeled privilege elevation) in the Windows DHCP Client affects Windows 10 (1607/1809), Windows Server 2012 through 2025, and their Server Core installations via an integer underflow (CWE-191) reachable over the network. A remote attacker positioned to answer DHCP traffic can craft malformed responses that wrap a length/counter calculation, with a CVSS 3.1 base of 7.5 (confidentiality impact only per the published vector). No public exploit is identified at time of analysis and it is not listed in CISA KEV, but Microsoft ships a patch.
Improper link resolution before file access ('link following') in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally.
Remote code execution in Microsoft Active Directory Domain Services (AD DS) allows an authenticated network attacker to run arbitrary code on domain controllers by triggering a heap-based buffer overflow (CWE-122). Affected platforms span Windows Server 2012 through 2025 (including Server Core) and Windows 10/11 clients acting in AD roles, with Microsoft-issued patches available. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the CVSS 8.8 rating and the sensitivity of the domain-controller attack surface make this a high-priority patch.
Remote code execution in the Microsoft Windows DHCP Server role allows an authenticated network attacker (PR:L) to trigger a heap-based buffer overflow and run arbitrary code on the server. The flaw affects DHCP Server across Windows Server 2012 through Server 2025 (including Server Core installations) and carries a CVSS 8.8 with full confidentiality, integrity, and availability impact. Reported by Microsoft with a vendor patch available; no public exploit identified at time of analysis.
Denial of service in the Windows Local Security Authority Subsystem Service (LSASS) allows a remote, unauthenticated attacker to crash the service and disrupt authentication across all supported Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. The flaw stems from an excessive-size memory allocation (CWE-789) triggerable over the network with no privileges or user interaction, and while a vendor patch is available, there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is limited to availability (A:H) with no confidentiality or integrity loss, but LSASS failure can force system instability or reboots, affecting domain authentication and logon.
Windows Cryptographic Services across a broad range of Windows 10, Windows 11, and Windows Server versions fails to release allocated memory after its effective lifetime (CWE-401), enabling a remote unauthenticated attacker to cause a denial-of-service condition over the network. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no elevated privileges against default configurations. Microsoft has released a patch via MSRC advisory CVE-2026-44806; no public exploit or CISA KEV listing has been identified at time of analysis.
Windows Event Logging Service across a wide range of Windows 10, Windows 11, and Windows Server versions fails to enforce its intended protection mechanisms, permitting any authenticated low-privileged network user to read information that should be access-controlled. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms exploitation requires only a valid low-privilege account and network connectivity, with no user interaction and no elevated rights - making it a practical post-compromise lateral-movement or reconnaissance tool. No public exploit code has been identified and this CVE is not listed in CISA KEV at time of analysis, but the ubiquitous deployment footprint across the Windows ecosystem elevates organizational exposure.
Remote code execution in Windows PowerShell allows an authenticated attacker with low privileges to run arbitrary code across a network by exploiting a relative path traversal (CWE-23) flaw, provided a victim is induced to interact (UI:R). Affecting supported Windows 10/11 clients and Windows Server 2012 through 2025, the issue carries a CVSS 8.0 with full confidentiality, integrity, and availability impact, and a vendor patch is available via MSRC. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
Use of uninitialized resource in Windows File Explorer allows an authorized attacker to disclose information locally.
Windows Audio Service on multiple Windows desktop and server versions improperly exposes sensitive information to locally authenticated standard users, enabling information disclosure without requiring elevated privileges. Affecting Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 (with Server 2022 and 2025 referenced in tags), the flaw is exploitable post-foothold by any low-privileged local account, making it a realistic post-exploitation pivot rather than an initial access vector. No public exploit code has been identified at time of analysis, and a vendor-released patch is confirmed available via the Microsoft Security Response Center.
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
Local code execution in Microsoft Windows NTFS driver allows an authenticated attacker to run arbitrary code by triggering a heap-based buffer overflow (CWE-122) after inducing user interaction. The flaw affects a broad range of Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. It was reported by Microsoft, a vendor patch is available, and there is no public exploit identified at time of analysis.