Windows Server 2025
Monthly
Privilege escalation in the Windows Remote Access Connection Manager (RasMan) service lets an authenticated, low-privileged attacker corrupt memory over the network to gain higher privileges on affected Windows 10, 11, and Server systems. The flaw is a CWE-416 use-after-free carrying a CVSS 8.8 with high impact to confidentiality, integrity, and availability. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.
Local code execution in the Windows Media component of supported Windows 10, Windows 11, and Windows Server (2016 through 2025) releases lets an unauthorized attacker run arbitrary code when a victim opens a maliciously crafted media file. The flaw is a heap-based buffer overflow (CWE-122) reported by Microsoft with a vendor patch available; there is no public exploit identified at time of analysis. CVSS is 7.8 (High), driven by full confidentiality, integrity, and availability impact but gated by local vector and required user interaction.
Denial of service in Microsoft Active Directory Federation Services (AD FS) allows an unauthenticated, remote attacker to send crafted network requests that drive a request-handling routine into an infinite loop (CWE-835), exhausting CPU and rendering the federation service unavailable. All supported Windows Server releases hosting the AD FS role are impacted, and because the flaw requires no authentication and no user interaction (CVSS 7.5, AV:N/AC:L/PR:N/UI:N), it can knock out single sign-on for every relying-party application. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a patch-priority availability issue rather than a confirmed active-exploitation event.
Remote code execution in the Microsoft Windows DHCP Server role allows an unauthenticated network attacker to run arbitrary code by triggering a heap-based buffer overflow (CWE-122) in the service's packet handling. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and affects Windows Server 2012 through 2025 as well as the underlying Windows 10 1607/1809 code base. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the unauthenticated network RCE profile makes it a high-priority patch.
Local privilege escalation in the Windows Wireless Wide Area Network Service (WwanSvc) lets an authenticated low-privileged user elevate to SYSTEM by delivering crafted serialized data that the service deserializes unsafely (CWE-502). Reported by Microsoft, it affects a broad range of Windows 10, Windows 11, and Windows Server builds and carries CVSS 7.8 with high confidentiality, integrity, and availability impact. No public exploit is identified at time of analysis and it is not in CISA KEV, but a vendor patch is available.
Buffer over-read in Remote Desktop Client allows an unauthorized attacker to disclose information over a network.
Information disclosure in the Windows Network Policy Server (NPS) SNMP handling allows a remote, unauthenticated attacker to read out-of-bounds memory over the network and disclose potentially sensitive data. The flaw affects a broad range of Windows Server (2012 through 2025) and Windows client builds where the NPS role/SNMP component is present. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; a vendor patch is available from Microsoft (MSRC).
Off-by-one memory boundary error in the Windows Remote Desktop Protocol exposes sensitive memory contents over the network to unauthenticated remote attackers on all major Windows client and server releases. The CWE-193 root cause allows the RDP parser to read one element beyond an allocated buffer boundary, yielding a high-confidentiality-impact information disclosure (C:H) with no integrity or availability consequence. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog; however, the breadth of affected Windows versions - spanning Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through 2025 - gives this a wide potential attack surface warranting prompt patching.
Local privilege escalation in the Windows Runtime (WinRT) affects current Microsoft platforms including Windows 11 24H2, 25H2, 26H1, and Windows Server 2025, where a race condition (CWE-362) in the handling of a shared resource lets an already-authenticated local user win a timing window to gain higher privileges. Microsoft has released a patch, and there is no public exploit identified at time of analysis. With a CVSS 7.0 (AV:L/AC:H/PR:L) the flaw requires local access and precise timing, making it a plausible second-stage escalation rather than an initial entry point.
Local code execution in Microsoft's Resilient File System (ReFS) driver affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a stack-based buffer overflow (CWE-121) can be triggered when a victim interacts with attacker-crafted ReFS data. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R) shows an unauthenticated but user-interaction-dependent local attack yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis and the flaw is not on CISA KEV, so it currently represents a patch-priority rather than an active-exploitation emergency.
Heap-based buffer overflow in Windows Resilient File System (ReFS) allows an unauthorized attacker to execute code with a physical attack.
Local privilege escalation in the Windows Code Integrity module (ci.dll) lets an already-authenticated low-privileged attacker read out-of-bounds memory (CWE-125) and leverage the resulting condition to gain higher privileges on affected Windows 10, Windows 11, and Windows Server systems back to Server 2012. The CVSS 3.1 score is 7.0 (High) with a local vector and high attack complexity, and there is no public exploit identified at time of analysis. Microsoft self-reported the issue and has released a patch through the MSRC update guide.
Remote code execution in the Microsoft Windows Message Queuing (MSMQ) service arises from a use-after-free (CWE-416) memory-corruption flaw that an authenticated attacker can trigger across a network to run arbitrary code in the service context. It affects a broad range of supported Windows client and server releases from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025 wherever the MSMQ component is enabled. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft rates it CVSS 7.5 and has released a fix.
Elevation of privilege in the Microsoft Windows Universal Disk Format File System driver (UDFS) allows a local attacker to gain higher privileges after a user mounts or opens a maliciously crafted UDF-formatted volume such as an ISO or disc image. The flaw is an out-of-bounds read (CWE-125) in the kernel-mode UDFS parser, and successful exploitation yields high impact to confidentiality, integrity, and availability (CVSS 7.8). No public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a patch.
Local privilege escalation in the Windows Installer (msiexec) service across Windows 10, Windows 11, and Windows Server 2012 through 2025 allows an already-authenticated local user to gain higher privileges by triggering a use-after-free memory-corruption condition. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV, but Microsoft has published a patch. The high CVSS complexity (AC:H) indicates exploitation requires winning a race or meeting specific timing/heap conditions rather than being trivially reliable.
Local privilege escalation to code execution in the Windows NTFS file-system driver stems from a heap-based buffer overflow (CWE-122) that an authenticated local attacker can trigger to run arbitrary code with elevated privileges. The flaw was reported by Microsoft and spans a broad range of currently-supported Windows client and server releases, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and reliable memory-corruption primitive in a core kernel-mode driver make it a strong candidate for patch-Tuesday prioritization.
Local privilege escalation in the Windows Win32K kernel subsystem (CWE-122 heap-based buffer overflow) lets an already-authenticated low-privileged attacker corrupt kernel heap memory and gain SYSTEM-level control across a broad range of Windows client and server releases. The flaw carries a CVSS 3.1 base score of 8.8 with a changed scope (S:C), reflecting that a user-mode process can compromise the kernel security boundary. It was reported by Microsoft, a vendor patch is available, and there is no public exploit identified at time of analysis.
Local privilege escalation in the Windows Print Spooler Components affects Windows 10 (1809, 21H2, 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2019/2022/2025, where a heap-based buffer overflow (CWE-122) lets an already-authenticated local user corrupt heap memory in a Spooler component and gain SYSTEM-level privileges. Exploitation requires low-privilege local access (CVSS AV:L/PR:L) with no user interaction, yielding full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Privilege escalation in the Windows Netlogon service allows an already-authenticated, low-privileged network attacker to elevate to higher privileges by exploiting a use-after-free (CWE-416) memory-corruption condition. The flaw affects a broad range of Windows client and server releases from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025, including Server Core installations. Reported by Microsoft with a vendor patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Clipboard User Service lets an already-authenticated low-privileged user run OS commands in the service's higher-privilege security context by injecting special elements into a command the service constructs (CWE-77). Affected platforms are Windows 11 24H2/25H2 and Windows Server 2025 (including Server Core). Microsoft has issued a patch; there is no public exploit identified at time of analysis and the flaw is not on the CISA KEV list.
Network-based privilege elevation in Microsoft Windows DNS (Windows 11 24H2/25H2/26H1 and Windows Server 2025) stems from a use-after-free memory corruption condition that an unauthenticated remote attacker can exploit to gain elevated privileges with full confidentiality, integrity, and availability impact. The flaw requires no prior authentication or user interaction (PR:N/UI:N) but carries high attack complexity (AC:H), meaning reliable exploitation depends on winning a race or satisfying a specific memory-state timing window. Microsoft self-reported the issue and has shipped a patch; no public exploit identified at time of analysis and it is not currently listed in CISA KEV.
Elevation of privilege in the Windows Runtime (WinRT) component affects Windows 10 (21H2/22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2025, where a use-after-free memory-corruption flaw lets an already-authenticated local user run code at higher privilege. Microsoft has released a patch and reported the issue; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV. Given the CVSS 7.8 (Important) rating and full C/I/A impact, this is a standard local privilege-escalation risk suited for regular patch prioritization rather than emergency response.
Denial of service in Windows Hyper-V allows an authorized, adjacent-network attacker to crash or disrupt the hypervisor by triggering a buffer over-read (CWE-126). Affected platforms span Windows 10, Windows 11, and Windows Server 2012 through 2025, covering a broad slice of Microsoft's enterprise footprint. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but a vendor-issued patch is available via Microsoft MSRC.
Remote code execution in the Microsoft Windows Event Logging Service allows an authenticated attacker with low privileges to execute code over a network after enticing a user into an interaction (UI:R), due to insufficient granularity of access control (CWE-1220). The flaw affects a broad range of Windows client and server builds from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows Graphics Kernel component allows an authenticated attacker to elevate to SYSTEM by triggering a use-after-free (CWE-416) memory-corruption condition. All currently supported Windows client and server builds are affected - from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025. No public exploit identified at time of analysis; Microsoft has released a patch, and the CVSS 7.8 (Important) rating reflects high impact but a local-access, low-privilege prerequisite.
Local privilege escalation in the Microsoft Windows Kernel lets an already-authenticated attacker corrupt heap memory to gain SYSTEM-level control across Windows 10 (1809/21H2/22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2019/2022/2025. The CVSS 7.8 (AV:L/PR:L) rating reflects that low-privileged code execution is a prerequisite; there is no public exploit identified at time of analysis, but Microsoft has released a patch. This is a classic post-exploitation escalation primitive rather than an initial-access vector.
Exposure of sensitive information to an unauthorized actor in Microsoft Graphics Component allows an authorized attacker to disclose information locally.
Local tampering in Windows DNS via improper access control (CWE-284) allows a low-privilege authenticated local user to manipulate DNS configuration or records across a broad range of Windows 10, Windows 11, and Windows Server releases. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L) confirms exploitation requires only a valid local account with no elevated privileges, yielding high integrity impact with minimal availability disruption and no direct confidentiality exposure. No public exploit code or CISA KEV listing has been identified at time of analysis, but the 'Authentication Bypass' advisory tag suggests DNS tampering may enable downstream bypass of authentication mechanisms dependent on DNS resolution, potentially amplifying the effective impact beyond the raw CVSS score.
Local privilege-level code execution in the Windows NTFS file-system driver affects a broad range of Windows client and server releases, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. A heap-based buffer overflow (CWE-122) lets an authorized local attacker who can induce a user to interact with a crafted file or volume execute arbitrary code in the security context of the kernel-mode NTFS component. There is no public exploit identified at time of analysis and it is not in CISA KEV, but Microsoft has released a patch and the flaw carries full high confidentiality, integrity, and availability impact.
Local privilege escalation in the Microsoft Windows USB Hub Driver allows an authenticated low-privileged user to elevate to SYSTEM by triggering an untrusted pointer dereference (CWE-822), affecting Windows 10 (1809/21H2/22H2) and Windows Server 2019 through 2025. Successful exploitation yields full confidentiality, integrity, and availability impact on the local host. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but Microsoft has released a patch.
Local privilege escalation in the Microsoft Windows Kernel lets an authenticated attacker who already has low-privileged code execution on a host elevate to SYSTEM by exploiting a use-after-free (CWE-416) memory corruption. It affects a broad range of supported Windows client and server builds - Windows 10 (1809/21H2/22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2019/2022/2025 - and Microsoft has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation appears unproven publicly despite the reliably-exploitable nature of kernel UAF flaws.
Local privilege escalation in the Microsoft Windows Kernel lets an already-authenticated attacker corrupt heap memory (CWE-122) to run code with SYSTEM-level privileges. It affects a broad range of supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through Server 2025). No public exploit identified at time of analysis, but the CVSS 8.8 rating and scope change make it a strong candidate for chaining after initial access.
Local privilege escalation in the Microsoft Windows Kernel arises from a use-after-free (CWE-416) memory-corruption flaw that lets an attacker running code on the machine gain higher privileges, potentially SYSTEM. It affects a broad range of current Windows client and server builds (Windows 10 21H2/22H2, Windows 11 24H2/25H2/26H1, Windows Server 2022/2025). No public exploit identified at time of analysis, but the local attack surface and full CIA impact make it a standard Patch-Tuesday-class kernel EoP worth prompt patching.
Information disclosure in the Windows Network Policy Server (NPS) SNMP component allows a remote, unauthenticated attacker to read out-of-bounds memory over the network and disclose sensitive process data. The flaw affects a broad range of Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. It was reported by Microsoft, a vendor patch is available, and no public exploit has been identified at time of analysis (not listed in CISA KEV).
Denial of service in the Windows Domain Controller role on Windows Server 2025 (including Server Core) and Windows 11 24H2/25H2/26H1 lets a remote, unauthenticated attacker crash or hang authentication services by triggering an untrusted pointer dereference over the network. Because the CVSS vector is PR:N/UI:N with A:H and no confidentiality or integrity impact, a single crafted network exchange can disrupt directory and logon services domain-wide without credentials. No public exploit identified at time of analysis, and it is not on CISA KEV; Microsoft has released a patch.
Local privilege escalation in the Windows Wireless Wide Area Network (WWAN) Service allows a low-privileged authenticated user to win a race condition and gain SYSTEM-level privileges across Windows 10, Windows 11, and Windows Server 2019 through 2025. The flaw stems from improper synchronization of a shared resource (CWE-362), and the scope-changed CVSS impact (S:C) reflects that successful exploitation crosses from the attacker's low-privilege context into a higher-privileged service. No public exploit identified at time of analysis, and it is not listed in CISA KEV, though Microsoft credits itself as the reporter, indicating internal discovery.
Remote information disclosure in the Microsoft Windows Kernel (CWE-125 out-of-bounds read) lets an unauthenticated attacker read kernel memory over a network, per the CVSS AV:N/PR:N vector, affecting a broad range of Windows 10, Windows 11, and Windows Server 2016 through 2025 builds. The flaw carries high confidentiality impact (C:H) with a minor availability side effect and no integrity impact, scoring CVSS 8.2. No public exploit is identified at time of analysis and it is not in CISA KEV, but the network-reachable, no-authentication, no-interaction profile makes it a notable patch priority.
Local privilege escalation in Microsoft Windows (Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through 2025) arises from a use-after-free memory-corruption flaw (CWE-416) that lets an already-authenticated local user run code at elevated privilege. The CVSS 3.1 base score is 7.8 with a scope-changed vector, and Microsoft has shipped a fix via MSRC. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, so exploitation is currently theoretical rather than observed.
Buffer over-read in Windows Kernel allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Brokering File System affects Windows 11 24H2/25H2/26H1 and Windows Server 2025, where a use-after-free (CWE-416) lets an already-authenticated local user corrupt memory to elevate to higher privileges (typically SYSTEM). Microsoft has released a patch and rates it 7.8 (High). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Exposure of sensitive information to an unauthorized actor in Windows Media allows an unauthorized attacker to disclose information over a network.
Exposure of sensitive information to an unauthorized actor in Windows Media allows an authorized attacker to disclose information locally.
Privilege elevation in Microsoft's Windows Server Update Services (WSUS) role allows a network-based, low-privileged attacker to gain higher privileges due to a missing authentication check on a critical function (CWE-306). The flaw affects WSUS as shipped on Windows Server 2012 through 2025 (and client builds Windows 10 1607/1809), with a CVSS 3.1 base score of 8.8; Microsoft has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, low-complexity nature makes this a high-priority patch for update-management infrastructure.
Denial of service in Microsoft Active Directory Federation Services (AD FS) allows a remote, unauthenticated attacker to crash the service by sending crafted network input that overflows a stack buffer (CWE-121). Because AD FS commonly fronts single sign-on for Microsoft 365, Azure AD, and federated web applications, an outage cascades into loss of authentication for every relying-party application. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV; a Microsoft patch is available, and the CVSS 3.1 score is 7.5 (availability-only impact).
Remote code execution in Microsoft's Remote Desktop Client (the RDP client, mstsc.exe, shipped across Windows 10, Windows 11, and Windows Server 2012 through 2025) allows an unauthorized attacker to run arbitrary code over the network by triggering a use-after-free memory-corruption condition. Exploitation requires the victim to connect to an attacker-controlled or compromised RDP endpoint (UI:R), after which the malicious server can corrupt client-side memory to achieve full code execution. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV; a vendor patch is available from Microsoft.
Local code execution in Microsoft Windows' Resilient File System (ReFS) driver lets an unauthorized attacker run arbitrary code by inducing a victim to mount or open a maliciously crafted ReFS volume (CVE-2026-50362). The flaw affects the ReFS component shipped across Windows 10, Windows 11 (through 26H1), and Windows Server 2016-2025, carries CVSS 7.8, and requires user interaction (UI:R) with no prior authentication (PR:N). Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Out-of-bounds read in Windows HTTP.sys allows an unauthorized attacker to disclose information locally.
Remote code execution in Microsoft Windows Message Queuing (MSMQ) allows an unauthenticated attacker to run arbitrary code over the network by corrupting heap memory. The flaw (CWE-122) carries a CVSS 9.8 and affects a broad range of client and server SKUs from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit is identified at time of analysis, but the network-reachable, no-interaction, no-privilege profile of prior MSMQ bugs (e.g. the 'QueueJumper' class) makes this a top-priority patch. Microsoft has released a fix.
Local privilege escalation to code execution in the Windows NTFS driver (CVE-2026-50417) allows an authenticated attacker with low privileges to corrupt heap memory and run arbitrary code on affected Windows 10, Windows 11, and Windows Server 2012 through 2025 systems. The flaw is a heap-based buffer overflow (CWE-122) reported by Microsoft, with CVSS 7.8 (High) reflecting local vector, low complexity, and full confidentiality/integrity/availability impact. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Out-of-bounds read in Windows USB Audio Class driver (usbaudio.sys) allows an unauthorized attacker to disclose information with a physical attack.
Windows Quality of Service (QoS) Packet Scheduler Information Disclosure Vulnerability
Local code execution in Microsoft Windows NTFS (New Technology File System) driver arises from a heap-based buffer overflow (CWE-122) that an attacker can trigger by inducing a user to interact with a specially crafted NTFS volume or file. Affecting a broad range of Windows client and server builds from Windows Server 2012/2012 R2 through Windows 11 26H1 and Windows Server 2025, successful exploitation yields high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; Microsoft has issued a fix.
Local privilege escalation in the Microsoft Windows Kernel allows an authenticated low-privileged user to elevate to higher (likely SYSTEM-level) privileges by triggering an out-of-bounds read condition. The flaw affects a broad range of currently supported Windows client and server builds, from Windows 10 21H2 through Windows 11 26H1 and Windows Server 2022/2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Use after free in Windows Virtual Filtering Platform (VFP) allows an authorized attacker to deny service over a network.
Windows File Explorer on a wide range of Microsoft Windows client and server versions exposes sensitive information to locally authenticated standard users, achieving high confidentiality impact without requiring elevated privileges. The flaw (CWE-200) is confined to the local attack surface - CVSS AV:L/PR:L - meaning the attacker must already hold an interactive session on the target system. No public exploit code and no CISA KEV listing have been identified at time of analysis; a vendor patch is available through Microsoft Security Response Center.
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Runtime (WinRT) component of Windows 10, Windows 11, and Windows Server allows an authenticated attacker to run arbitrary code with elevated (SYSTEM-level) privileges by triggering a use-after-free memory-corruption condition (CWE-416). Microsoft has released a patch, but there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. The CVSS 3.1 score of 7.8 (High) with a fully local vector reflects meaningful post-compromise impact but requires the attacker to already have a foothold on the host.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) allows an already-authenticated local attacker to gain elevated (SYSTEM-level) privileges across a broad range of Windows client and server releases from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. Reported internally by Microsoft with a patch available, the flaw carries CVSS 7.8 with full confidentiality, integrity, and availability impact but no confirmed active exploitation; no public exploit identified at time of analysis.
Remote code execution in the Microsoft Message Queuing (MSMQ) Queue Manager affects a broad range of Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. An unauthenticated network attacker who can reach the MSMQ service (TCP 1801) can trigger a use-after-free (CWE-416) in the Queue Manager to execute arbitrary code in the service context. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the high CVSS (8.1), network attack vector, and lack of any authentication requirement make patched deployment urgent; exploitation is tempered by the High attack complexity (AC:H).
Local integrity and availability tampering in the Microsoft Windows DNS component affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 (including Server Core), where an authorized attacker with low privileges can abuse improper access control to modify DNS data or disrupt the service. Microsoft self-reported the issue and has released a patch. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, so exploitation would currently require local access on an already-compromised or shared host.
Local privilege escalation in Microsoft Windows Resilient File System (ReFS) lets an authenticated local attacker gain elevated (SYSTEM-level) privileges by triggering an untrusted pointer dereference in the ReFS driver. It affects a broad range of Windows 10, Windows 11, and Windows Server 2016-2025 builds. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, so risk is currently patch-and-move rather than emergency.
Exposure of sensitive information to an unauthorized actor in Windows Overlay Filter allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Overlay Filter (WOF) driver affects a broad range of Windows client and server releases, from Windows 10 1607 and Server 2012 R2 through Windows 11 26H1 and Server 2025. An authenticated local attacker with low privileges can trigger a buffer over-read (CWE-126) in the filter to elevate to higher privileges, gaining full confidentiality, integrity, and availability impact on the host. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows NTFS file-system driver lets an authenticated low-privileged user gain elevated (likely SYSTEM) privileges by exploiting an incorrect conversion between numeric types (CWE-681). Affected platforms span Windows 10 (1607 through 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2012 through 2025. Microsoft reported the flaw and has shipped a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Brokering File System component affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a use-after-free memory corruption (CWE-416) lets an already-authenticated local user elevate to higher privileges. Microsoft rates it CVSS 7.8 with full confidentiality, integrity, and availability impact, and has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local information disclosure in Windows Universal Plug and Play (upnp.dll) exposes sensitive memory contents to authorized low-privilege users across a wide range of Windows 10, Windows 11, and Windows Server releases. The flaw stems from use of an uninitialized resource (CWE-908), meaning the UPnP service reads from memory that has not been properly initialized before use, potentially leaking stale heap or stack contents. No active exploitation has been confirmed and no public exploit code has been identified at time of analysis; a vendor patch is available via the Microsoft Security Response Center.
Local privilege escalation in Windows Routing and Remote Access Service (RRAS) allows a low-privileged authenticated user to elevate to higher privileges on affected Windows 10, Windows 11, and Windows Server 2012 through 2025 systems. The flaw stems from a missing authentication check on a critical RRAS function (CWE-306), letting an already-authorized local attacker invoke privileged functionality without proper authorization. Microsoft has released a patch; there is no public exploit identified at time of analysis.
Buffer over-read in Windows Print Spooler Components allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Sensor Data Service allows an authenticated low-privileged user to gain full SYSTEM-level control on affected Windows 10, Windows 11, and Windows Server (2019-2025) systems. The flaw stems from incorrect access to an indexable resource (a range/bounds error, CWE-118) and yields high confidentiality, integrity, and availability impact per the CVSS 7.8 vector. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but Microsoft has released a patch.
Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges with a physical attack.
Local privilege escalation in the Windows Connected User Experiences and Telemetry service (DiagTrack) lets an already-authenticated user run arbitrary code with SYSTEM-level rights by triggering a CWE-843 type-confusion condition. The flaw affects a broad range of currently-supported Windows client and server builds, from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows NTFS file-system driver lets an already-authenticated low-privileged user read memory outside allocated bounds (CWE-125) to gain elevated privileges. It affects a broad Windows fleet spanning Windows 10 (1607 through 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2012 through 2025. Reported by Microsoft with a patch available; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Microsoft Windows Content Delivery Manager component lets an authenticated low-privileged user elevate to SYSTEM by triggering a use-after-free (CWE-416) memory-corruption condition. The flaw affects a broad range of client and server builds (Windows 10 1809 through Windows 11 26H1, plus Server 2019 and Server 2025), and Microsoft has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Privilege escalation in Windows Runtime (WinRT) via a use-after-free memory corruption flaw enables a locally authenticated low-privilege attacker to elevate to SYSTEM-level access on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. The CVSS scope change (S:C) confirms the exploit crosses a security boundary, yielding full confidentiality, integrity, and availability impact beyond the originating process. No public exploit identified at time of analysis; Microsoft has released a patch via MSRC.
Local privilege escalation in the Windows Runtime affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a race condition (CWE-362) in the improperly synchronized handling of a shared resource lets an already-authenticated attacker win a timing window to gain higher privileges. Microsoft reported and patched the issue; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 8.8 with scope-changed impact reflects that a low-privileged local user could reach full SYSTEM-level control of confidentiality, integrity, and availability.
Relative path traversal in DNS Server allows an authorized attacker to execute code over an adjacent network.
Elevation of privilege in the Microsoft Windows RPC API lets an unauthenticated attacker on an adjacent network gain higher privileges by exploiting an improper authentication weakness (CWE-287), provided a user is lured into an interaction. The flaw spans a broad range of client and server builds from Windows Server 2012 through Windows Server 2025 and Windows 10 1607 through Windows 11 26H1. No public exploit identified at time of analysis; the issue was reported by Microsoft, which has released a fix.
Local privilege escalation in Windows User Interface Core (UI Core) affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a relative path traversal flaw lets an already-authenticated low-privileged user escalate to higher privileges on the local machine. The CVSS 3.1 score of 7.8 reflects full confidentiality, integrity, and availability impact once triggered, though attack requires local access and existing low-level privileges. Reported by Microsoft with a patch available; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Projected File System (ProjFS) driver lets an authenticated low-privileged attacker abuse a symbolic-link/junction race (CWE-59 link following) to redirect a privileged file operation and gain SYSTEM-level rights across Windows 10 (1809-22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2019/2022/2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Privilege escalation in Windows Remote Desktop Services (RDS) lets an authenticated, low-privileged attacker elevate to higher privileges across a network by triggering a use-after-free (CWE-416) memory-corruption condition in the RDS component. The flaw spans a broad range of supported Windows client and server releases (Windows 10/11 and Windows Server 2012 through 2025). Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local code execution in Microsoft Windows NTFS (the New Technology File System driver) arises from a heap-based buffer overflow that lets an attacker run arbitrary code with the privileges of the affected process. The flaw affects a broad swath of supported Windows client and server builds, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. Microsoft (the reporter) has shipped a patch; there is no public exploit identified at time of analysis, and the CVSS vector requires local access plus user interaction, so it is a privilege-escalation/code-execution primitive rather than a remotely-wormable bug.
Out-of-bounds read in Windows DWM Core Library allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Kernel affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 (including Server Core), where an authorized attacker can exploit a use-after-free (CWE-416) memory-corruption condition to elevate privileges to SYSTEM. The flaw was reported by Microsoft, which has released a patch, and carries a CVSS 7.8 rating driven entirely by high confidentiality, integrity, and availability impact once local access is obtained. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local code execution in the Windows DirectX graphics component (CVE-2026-50382) lets an already-authenticated user run arbitrary code and, because the CVSS scope is Changed, break out of the calling security context to compromise the wider system. It affects a broad range of Windows client and server builds from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025. Microsoft has issued a patch; there is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Exposure of sensitive information to an unauthorized actor in Windows Cryptographic Services allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows OLE (Object Linking and Embedding) component allows an already-authenticated, low-privileged user on affected Windows and Windows Server builds to elevate to higher privileges through an improper authorization check (CWE-285). Microsoft has released a patch, and no public exploit has been identified at time of analysis. Impact is high across confidentiality, integrity, and availability, though exploitation requires prior local code execution.
Buffer over-read in Windows RDP allows an unauthorized attacker to disclose information over a network.
Privilege escalation in the Windows Remote Access Connection Manager (RasMan) service lets an authenticated, low-privileged attacker corrupt memory over the network to gain higher privileges on affected Windows 10, 11, and Server systems. The flaw is a CWE-416 use-after-free carrying a CVSS 8.8 with high impact to confidentiality, integrity, and availability. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.
Local code execution in the Windows Media component of supported Windows 10, Windows 11, and Windows Server (2016 through 2025) releases lets an unauthorized attacker run arbitrary code when a victim opens a maliciously crafted media file. The flaw is a heap-based buffer overflow (CWE-122) reported by Microsoft with a vendor patch available; there is no public exploit identified at time of analysis. CVSS is 7.8 (High), driven by full confidentiality, integrity, and availability impact but gated by local vector and required user interaction.
Denial of service in Microsoft Active Directory Federation Services (AD FS) allows an unauthenticated, remote attacker to send crafted network requests that drive a request-handling routine into an infinite loop (CWE-835), exhausting CPU and rendering the federation service unavailable. All supported Windows Server releases hosting the AD FS role are impacted, and because the flaw requires no authentication and no user interaction (CVSS 7.5, AV:N/AC:L/PR:N/UI:N), it can knock out single sign-on for every relying-party application. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a patch-priority availability issue rather than a confirmed active-exploitation event.
Remote code execution in the Microsoft Windows DHCP Server role allows an unauthenticated network attacker to run arbitrary code by triggering a heap-based buffer overflow (CWE-122) in the service's packet handling. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and affects Windows Server 2012 through 2025 as well as the underlying Windows 10 1607/1809 code base. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the unauthenticated network RCE profile makes it a high-priority patch.
Local privilege escalation in the Windows Wireless Wide Area Network Service (WwanSvc) lets an authenticated low-privileged user elevate to SYSTEM by delivering crafted serialized data that the service deserializes unsafely (CWE-502). Reported by Microsoft, it affects a broad range of Windows 10, Windows 11, and Windows Server builds and carries CVSS 7.8 with high confidentiality, integrity, and availability impact. No public exploit is identified at time of analysis and it is not in CISA KEV, but a vendor patch is available.
Buffer over-read in Remote Desktop Client allows an unauthorized attacker to disclose information over a network.
Information disclosure in the Windows Network Policy Server (NPS) SNMP handling allows a remote, unauthenticated attacker to read out-of-bounds memory over the network and disclose potentially sensitive data. The flaw affects a broad range of Windows Server (2012 through 2025) and Windows client builds where the NPS role/SNMP component is present. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; a vendor patch is available from Microsoft (MSRC).
Off-by-one memory boundary error in the Windows Remote Desktop Protocol exposes sensitive memory contents over the network to unauthenticated remote attackers on all major Windows client and server releases. The CWE-193 root cause allows the RDP parser to read one element beyond an allocated buffer boundary, yielding a high-confidentiality-impact information disclosure (C:H) with no integrity or availability consequence. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog; however, the breadth of affected Windows versions - spanning Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through 2025 - gives this a wide potential attack surface warranting prompt patching.
Local privilege escalation in the Windows Runtime (WinRT) affects current Microsoft platforms including Windows 11 24H2, 25H2, 26H1, and Windows Server 2025, where a race condition (CWE-362) in the handling of a shared resource lets an already-authenticated local user win a timing window to gain higher privileges. Microsoft has released a patch, and there is no public exploit identified at time of analysis. With a CVSS 7.0 (AV:L/AC:H/PR:L) the flaw requires local access and precise timing, making it a plausible second-stage escalation rather than an initial entry point.
Local code execution in Microsoft's Resilient File System (ReFS) driver affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a stack-based buffer overflow (CWE-121) can be triggered when a victim interacts with attacker-crafted ReFS data. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R) shows an unauthenticated but user-interaction-dependent local attack yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis and the flaw is not on CISA KEV, so it currently represents a patch-priority rather than an active-exploitation emergency.
Heap-based buffer overflow in Windows Resilient File System (ReFS) allows an unauthorized attacker to execute code with a physical attack.
Local privilege escalation in the Windows Code Integrity module (ci.dll) lets an already-authenticated low-privileged attacker read out-of-bounds memory (CWE-125) and leverage the resulting condition to gain higher privileges on affected Windows 10, Windows 11, and Windows Server systems back to Server 2012. The CVSS 3.1 score is 7.0 (High) with a local vector and high attack complexity, and there is no public exploit identified at time of analysis. Microsoft self-reported the issue and has released a patch through the MSRC update guide.
Remote code execution in the Microsoft Windows Message Queuing (MSMQ) service arises from a use-after-free (CWE-416) memory-corruption flaw that an authenticated attacker can trigger across a network to run arbitrary code in the service context. It affects a broad range of supported Windows client and server releases from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025 wherever the MSMQ component is enabled. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft rates it CVSS 7.5 and has released a fix.
Elevation of privilege in the Microsoft Windows Universal Disk Format File System driver (UDFS) allows a local attacker to gain higher privileges after a user mounts or opens a maliciously crafted UDF-formatted volume such as an ISO or disc image. The flaw is an out-of-bounds read (CWE-125) in the kernel-mode UDFS parser, and successful exploitation yields high impact to confidentiality, integrity, and availability (CVSS 7.8). No public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a patch.
Local privilege escalation in the Windows Installer (msiexec) service across Windows 10, Windows 11, and Windows Server 2012 through 2025 allows an already-authenticated local user to gain higher privileges by triggering a use-after-free memory-corruption condition. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV, but Microsoft has published a patch. The high CVSS complexity (AC:H) indicates exploitation requires winning a race or meeting specific timing/heap conditions rather than being trivially reliable.
Local privilege escalation to code execution in the Windows NTFS file-system driver stems from a heap-based buffer overflow (CWE-122) that an authenticated local attacker can trigger to run arbitrary code with elevated privileges. The flaw was reported by Microsoft and spans a broad range of currently-supported Windows client and server releases, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and reliable memory-corruption primitive in a core kernel-mode driver make it a strong candidate for patch-Tuesday prioritization.
Local privilege escalation in the Windows Win32K kernel subsystem (CWE-122 heap-based buffer overflow) lets an already-authenticated low-privileged attacker corrupt kernel heap memory and gain SYSTEM-level control across a broad range of Windows client and server releases. The flaw carries a CVSS 3.1 base score of 8.8 with a changed scope (S:C), reflecting that a user-mode process can compromise the kernel security boundary. It was reported by Microsoft, a vendor patch is available, and there is no public exploit identified at time of analysis.
Local privilege escalation in the Windows Print Spooler Components affects Windows 10 (1809, 21H2, 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2019/2022/2025, where a heap-based buffer overflow (CWE-122) lets an already-authenticated local user corrupt heap memory in a Spooler component and gain SYSTEM-level privileges. Exploitation requires low-privilege local access (CVSS AV:L/PR:L) with no user interaction, yielding full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Privilege escalation in the Windows Netlogon service allows an already-authenticated, low-privileged network attacker to elevate to higher privileges by exploiting a use-after-free (CWE-416) memory-corruption condition. The flaw affects a broad range of Windows client and server releases from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025, including Server Core installations. Reported by Microsoft with a vendor patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Clipboard User Service lets an already-authenticated low-privileged user run OS commands in the service's higher-privilege security context by injecting special elements into a command the service constructs (CWE-77). Affected platforms are Windows 11 24H2/25H2 and Windows Server 2025 (including Server Core). Microsoft has issued a patch; there is no public exploit identified at time of analysis and the flaw is not on the CISA KEV list.
Network-based privilege elevation in Microsoft Windows DNS (Windows 11 24H2/25H2/26H1 and Windows Server 2025) stems from a use-after-free memory corruption condition that an unauthenticated remote attacker can exploit to gain elevated privileges with full confidentiality, integrity, and availability impact. The flaw requires no prior authentication or user interaction (PR:N/UI:N) but carries high attack complexity (AC:H), meaning reliable exploitation depends on winning a race or satisfying a specific memory-state timing window. Microsoft self-reported the issue and has shipped a patch; no public exploit identified at time of analysis and it is not currently listed in CISA KEV.
Elevation of privilege in the Windows Runtime (WinRT) component affects Windows 10 (21H2/22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2025, where a use-after-free memory-corruption flaw lets an already-authenticated local user run code at higher privilege. Microsoft has released a patch and reported the issue; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV. Given the CVSS 7.8 (Important) rating and full C/I/A impact, this is a standard local privilege-escalation risk suited for regular patch prioritization rather than emergency response.
Denial of service in Windows Hyper-V allows an authorized, adjacent-network attacker to crash or disrupt the hypervisor by triggering a buffer over-read (CWE-126). Affected platforms span Windows 10, Windows 11, and Windows Server 2012 through 2025, covering a broad slice of Microsoft's enterprise footprint. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but a vendor-issued patch is available via Microsoft MSRC.
Remote code execution in the Microsoft Windows Event Logging Service allows an authenticated attacker with low privileges to execute code over a network after enticing a user into an interaction (UI:R), due to insufficient granularity of access control (CWE-1220). The flaw affects a broad range of Windows client and server builds from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows Graphics Kernel component allows an authenticated attacker to elevate to SYSTEM by triggering a use-after-free (CWE-416) memory-corruption condition. All currently supported Windows client and server builds are affected - from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025. No public exploit identified at time of analysis; Microsoft has released a patch, and the CVSS 7.8 (Important) rating reflects high impact but a local-access, low-privilege prerequisite.
Local privilege escalation in the Microsoft Windows Kernel lets an already-authenticated attacker corrupt heap memory to gain SYSTEM-level control across Windows 10 (1809/21H2/22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2019/2022/2025. The CVSS 7.8 (AV:L/PR:L) rating reflects that low-privileged code execution is a prerequisite; there is no public exploit identified at time of analysis, but Microsoft has released a patch. This is a classic post-exploitation escalation primitive rather than an initial-access vector.
Exposure of sensitive information to an unauthorized actor in Microsoft Graphics Component allows an authorized attacker to disclose information locally.
Local tampering in Windows DNS via improper access control (CWE-284) allows a low-privilege authenticated local user to manipulate DNS configuration or records across a broad range of Windows 10, Windows 11, and Windows Server releases. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L) confirms exploitation requires only a valid local account with no elevated privileges, yielding high integrity impact with minimal availability disruption and no direct confidentiality exposure. No public exploit code or CISA KEV listing has been identified at time of analysis, but the 'Authentication Bypass' advisory tag suggests DNS tampering may enable downstream bypass of authentication mechanisms dependent on DNS resolution, potentially amplifying the effective impact beyond the raw CVSS score.
Local privilege-level code execution in the Windows NTFS file-system driver affects a broad range of Windows client and server releases, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. A heap-based buffer overflow (CWE-122) lets an authorized local attacker who can induce a user to interact with a crafted file or volume execute arbitrary code in the security context of the kernel-mode NTFS component. There is no public exploit identified at time of analysis and it is not in CISA KEV, but Microsoft has released a patch and the flaw carries full high confidentiality, integrity, and availability impact.
Local privilege escalation in the Microsoft Windows USB Hub Driver allows an authenticated low-privileged user to elevate to SYSTEM by triggering an untrusted pointer dereference (CWE-822), affecting Windows 10 (1809/21H2/22H2) and Windows Server 2019 through 2025. Successful exploitation yields full confidentiality, integrity, and availability impact on the local host. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but Microsoft has released a patch.
Local privilege escalation in the Microsoft Windows Kernel lets an authenticated attacker who already has low-privileged code execution on a host elevate to SYSTEM by exploiting a use-after-free (CWE-416) memory corruption. It affects a broad range of supported Windows client and server builds - Windows 10 (1809/21H2/22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2019/2022/2025 - and Microsoft has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation appears unproven publicly despite the reliably-exploitable nature of kernel UAF flaws.
Local privilege escalation in the Microsoft Windows Kernel lets an already-authenticated attacker corrupt heap memory (CWE-122) to run code with SYSTEM-level privileges. It affects a broad range of supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through Server 2025). No public exploit identified at time of analysis, but the CVSS 8.8 rating and scope change make it a strong candidate for chaining after initial access.
Local privilege escalation in the Microsoft Windows Kernel arises from a use-after-free (CWE-416) memory-corruption flaw that lets an attacker running code on the machine gain higher privileges, potentially SYSTEM. It affects a broad range of current Windows client and server builds (Windows 10 21H2/22H2, Windows 11 24H2/25H2/26H1, Windows Server 2022/2025). No public exploit identified at time of analysis, but the local attack surface and full CIA impact make it a standard Patch-Tuesday-class kernel EoP worth prompt patching.
Information disclosure in the Windows Network Policy Server (NPS) SNMP component allows a remote, unauthenticated attacker to read out-of-bounds memory over the network and disclose sensitive process data. The flaw affects a broad range of Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. It was reported by Microsoft, a vendor patch is available, and no public exploit has been identified at time of analysis (not listed in CISA KEV).
Denial of service in the Windows Domain Controller role on Windows Server 2025 (including Server Core) and Windows 11 24H2/25H2/26H1 lets a remote, unauthenticated attacker crash or hang authentication services by triggering an untrusted pointer dereference over the network. Because the CVSS vector is PR:N/UI:N with A:H and no confidentiality or integrity impact, a single crafted network exchange can disrupt directory and logon services domain-wide without credentials. No public exploit identified at time of analysis, and it is not on CISA KEV; Microsoft has released a patch.
Local privilege escalation in the Windows Wireless Wide Area Network (WWAN) Service allows a low-privileged authenticated user to win a race condition and gain SYSTEM-level privileges across Windows 10, Windows 11, and Windows Server 2019 through 2025. The flaw stems from improper synchronization of a shared resource (CWE-362), and the scope-changed CVSS impact (S:C) reflects that successful exploitation crosses from the attacker's low-privilege context into a higher-privileged service. No public exploit identified at time of analysis, and it is not listed in CISA KEV, though Microsoft credits itself as the reporter, indicating internal discovery.
Remote information disclosure in the Microsoft Windows Kernel (CWE-125 out-of-bounds read) lets an unauthenticated attacker read kernel memory over a network, per the CVSS AV:N/PR:N vector, affecting a broad range of Windows 10, Windows 11, and Windows Server 2016 through 2025 builds. The flaw carries high confidentiality impact (C:H) with a minor availability side effect and no integrity impact, scoring CVSS 8.2. No public exploit is identified at time of analysis and it is not in CISA KEV, but the network-reachable, no-authentication, no-interaction profile makes it a notable patch priority.
Local privilege escalation in Microsoft Windows (Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through 2025) arises from a use-after-free memory-corruption flaw (CWE-416) that lets an already-authenticated local user run code at elevated privilege. The CVSS 3.1 base score is 7.8 with a scope-changed vector, and Microsoft has shipped a fix via MSRC. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, so exploitation is currently theoretical rather than observed.
Buffer over-read in Windows Kernel allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Brokering File System affects Windows 11 24H2/25H2/26H1 and Windows Server 2025, where a use-after-free (CWE-416) lets an already-authenticated local user corrupt memory to elevate to higher privileges (typically SYSTEM). Microsoft has released a patch and rates it 7.8 (High). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Exposure of sensitive information to an unauthorized actor in Windows Media allows an unauthorized attacker to disclose information over a network.
Exposure of sensitive information to an unauthorized actor in Windows Media allows an authorized attacker to disclose information locally.
Privilege elevation in Microsoft's Windows Server Update Services (WSUS) role allows a network-based, low-privileged attacker to gain higher privileges due to a missing authentication check on a critical function (CWE-306). The flaw affects WSUS as shipped on Windows Server 2012 through 2025 (and client builds Windows 10 1607/1809), with a CVSS 3.1 base score of 8.8; Microsoft has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, low-complexity nature makes this a high-priority patch for update-management infrastructure.
Denial of service in Microsoft Active Directory Federation Services (AD FS) allows a remote, unauthenticated attacker to crash the service by sending crafted network input that overflows a stack buffer (CWE-121). Because AD FS commonly fronts single sign-on for Microsoft 365, Azure AD, and federated web applications, an outage cascades into loss of authentication for every relying-party application. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV; a Microsoft patch is available, and the CVSS 3.1 score is 7.5 (availability-only impact).
Remote code execution in Microsoft's Remote Desktop Client (the RDP client, mstsc.exe, shipped across Windows 10, Windows 11, and Windows Server 2012 through 2025) allows an unauthorized attacker to run arbitrary code over the network by triggering a use-after-free memory-corruption condition. Exploitation requires the victim to connect to an attacker-controlled or compromised RDP endpoint (UI:R), after which the malicious server can corrupt client-side memory to achieve full code execution. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV; a vendor patch is available from Microsoft.
Local code execution in Microsoft Windows' Resilient File System (ReFS) driver lets an unauthorized attacker run arbitrary code by inducing a victim to mount or open a maliciously crafted ReFS volume (CVE-2026-50362). The flaw affects the ReFS component shipped across Windows 10, Windows 11 (through 26H1), and Windows Server 2016-2025, carries CVSS 7.8, and requires user interaction (UI:R) with no prior authentication (PR:N). Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Out-of-bounds read in Windows HTTP.sys allows an unauthorized attacker to disclose information locally.
Remote code execution in Microsoft Windows Message Queuing (MSMQ) allows an unauthenticated attacker to run arbitrary code over the network by corrupting heap memory. The flaw (CWE-122) carries a CVSS 9.8 and affects a broad range of client and server SKUs from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit is identified at time of analysis, but the network-reachable, no-interaction, no-privilege profile of prior MSMQ bugs (e.g. the 'QueueJumper' class) makes this a top-priority patch. Microsoft has released a fix.
Local privilege escalation to code execution in the Windows NTFS driver (CVE-2026-50417) allows an authenticated attacker with low privileges to corrupt heap memory and run arbitrary code on affected Windows 10, Windows 11, and Windows Server 2012 through 2025 systems. The flaw is a heap-based buffer overflow (CWE-122) reported by Microsoft, with CVSS 7.8 (High) reflecting local vector, low complexity, and full confidentiality/integrity/availability impact. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Out-of-bounds read in Windows USB Audio Class driver (usbaudio.sys) allows an unauthorized attacker to disclose information with a physical attack.
Windows Quality of Service (QoS) Packet Scheduler Information Disclosure Vulnerability
Local code execution in Microsoft Windows NTFS (New Technology File System) driver arises from a heap-based buffer overflow (CWE-122) that an attacker can trigger by inducing a user to interact with a specially crafted NTFS volume or file. Affecting a broad range of Windows client and server builds from Windows Server 2012/2012 R2 through Windows 11 26H1 and Windows Server 2025, successful exploitation yields high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; Microsoft has issued a fix.
Local privilege escalation in the Microsoft Windows Kernel allows an authenticated low-privileged user to elevate to higher (likely SYSTEM-level) privileges by triggering an out-of-bounds read condition. The flaw affects a broad range of currently supported Windows client and server builds, from Windows 10 21H2 through Windows 11 26H1 and Windows Server 2022/2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Use after free in Windows Virtual Filtering Platform (VFP) allows an authorized attacker to deny service over a network.
Windows File Explorer on a wide range of Microsoft Windows client and server versions exposes sensitive information to locally authenticated standard users, achieving high confidentiality impact without requiring elevated privileges. The flaw (CWE-200) is confined to the local attack surface - CVSS AV:L/PR:L - meaning the attacker must already hold an interactive session on the target system. No public exploit code and no CISA KEV listing have been identified at time of analysis; a vendor patch is available through Microsoft Security Response Center.
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Runtime (WinRT) component of Windows 10, Windows 11, and Windows Server allows an authenticated attacker to run arbitrary code with elevated (SYSTEM-level) privileges by triggering a use-after-free memory-corruption condition (CWE-416). Microsoft has released a patch, but there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. The CVSS 3.1 score of 7.8 (High) with a fully local vector reflects meaningful post-compromise impact but requires the attacker to already have a foothold on the host.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) allows an already-authenticated local attacker to gain elevated (SYSTEM-level) privileges across a broad range of Windows client and server releases from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. Reported internally by Microsoft with a patch available, the flaw carries CVSS 7.8 with full confidentiality, integrity, and availability impact but no confirmed active exploitation; no public exploit identified at time of analysis.
Remote code execution in the Microsoft Message Queuing (MSMQ) Queue Manager affects a broad range of Windows client and server releases, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. An unauthenticated network attacker who can reach the MSMQ service (TCP 1801) can trigger a use-after-free (CWE-416) in the Queue Manager to execute arbitrary code in the service context. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the high CVSS (8.1), network attack vector, and lack of any authentication requirement make patched deployment urgent; exploitation is tempered by the High attack complexity (AC:H).
Local integrity and availability tampering in the Microsoft Windows DNS component affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 (including Server Core), where an authorized attacker with low privileges can abuse improper access control to modify DNS data or disrupt the service. Microsoft self-reported the issue and has released a patch. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, so exploitation would currently require local access on an already-compromised or shared host.
Local privilege escalation in Microsoft Windows Resilient File System (ReFS) lets an authenticated local attacker gain elevated (SYSTEM-level) privileges by triggering an untrusted pointer dereference in the ReFS driver. It affects a broad range of Windows 10, Windows 11, and Windows Server 2016-2025 builds. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, so risk is currently patch-and-move rather than emergency.
Exposure of sensitive information to an unauthorized actor in Windows Overlay Filter allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Overlay Filter (WOF) driver affects a broad range of Windows client and server releases, from Windows 10 1607 and Server 2012 R2 through Windows 11 26H1 and Server 2025. An authenticated local attacker with low privileges can trigger a buffer over-read (CWE-126) in the filter to elevate to higher privileges, gaining full confidentiality, integrity, and availability impact on the host. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows NTFS file-system driver lets an authenticated low-privileged user gain elevated (likely SYSTEM) privileges by exploiting an incorrect conversion between numeric types (CWE-681). Affected platforms span Windows 10 (1607 through 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2012 through 2025. Microsoft reported the flaw and has shipped a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Brokering File System component affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a use-after-free memory corruption (CWE-416) lets an already-authenticated local user elevate to higher privileges. Microsoft rates it CVSS 7.8 with full confidentiality, integrity, and availability impact, and has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local information disclosure in Windows Universal Plug and Play (upnp.dll) exposes sensitive memory contents to authorized low-privilege users across a wide range of Windows 10, Windows 11, and Windows Server releases. The flaw stems from use of an uninitialized resource (CWE-908), meaning the UPnP service reads from memory that has not been properly initialized before use, potentially leaking stale heap or stack contents. No active exploitation has been confirmed and no public exploit code has been identified at time of analysis; a vendor patch is available via the Microsoft Security Response Center.
Local privilege escalation in Windows Routing and Remote Access Service (RRAS) allows a low-privileged authenticated user to elevate to higher privileges on affected Windows 10, Windows 11, and Windows Server 2012 through 2025 systems. The flaw stems from a missing authentication check on a critical RRAS function (CWE-306), letting an already-authorized local attacker invoke privileged functionality without proper authorization. Microsoft has released a patch; there is no public exploit identified at time of analysis.
Buffer over-read in Windows Print Spooler Components allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Sensor Data Service allows an authenticated low-privileged user to gain full SYSTEM-level control on affected Windows 10, Windows 11, and Windows Server (2019-2025) systems. The flaw stems from incorrect access to an indexable resource (a range/bounds error, CWE-118) and yields high confidentiality, integrity, and availability impact per the CVSS 7.8 vector. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but Microsoft has released a patch.
Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges with a physical attack.
Local privilege escalation in the Windows Connected User Experiences and Telemetry service (DiagTrack) lets an already-authenticated user run arbitrary code with SYSTEM-level rights by triggering a CWE-843 type-confusion condition. The flaw affects a broad range of currently-supported Windows client and server builds, from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Windows NTFS file-system driver lets an already-authenticated low-privileged user read memory outside allocated bounds (CWE-125) to gain elevated privileges. It affects a broad Windows fleet spanning Windows 10 (1607 through 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2012 through 2025. Reported by Microsoft with a patch available; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Microsoft Windows Content Delivery Manager component lets an authenticated low-privileged user elevate to SYSTEM by triggering a use-after-free (CWE-416) memory-corruption condition. The flaw affects a broad range of client and server builds (Windows 10 1809 through Windows 11 26H1, plus Server 2019 and Server 2025), and Microsoft has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Privilege escalation in Windows Runtime (WinRT) via a use-after-free memory corruption flaw enables a locally authenticated low-privilege attacker to elevate to SYSTEM-level access on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. The CVSS scope change (S:C) confirms the exploit crosses a security boundary, yielding full confidentiality, integrity, and availability impact beyond the originating process. No public exploit identified at time of analysis; Microsoft has released a patch via MSRC.
Local privilege escalation in the Windows Runtime affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a race condition (CWE-362) in the improperly synchronized handling of a shared resource lets an already-authenticated attacker win a timing window to gain higher privileges. Microsoft reported and patched the issue; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 8.8 with scope-changed impact reflects that a low-privileged local user could reach full SYSTEM-level control of confidentiality, integrity, and availability.
Relative path traversal in DNS Server allows an authorized attacker to execute code over an adjacent network.
Elevation of privilege in the Microsoft Windows RPC API lets an unauthenticated attacker on an adjacent network gain higher privileges by exploiting an improper authentication weakness (CWE-287), provided a user is lured into an interaction. The flaw spans a broad range of client and server builds from Windows Server 2012 through Windows Server 2025 and Windows 10 1607 through Windows 11 26H1. No public exploit identified at time of analysis; the issue was reported by Microsoft, which has released a fix.
Local privilege escalation in Windows User Interface Core (UI Core) affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a relative path traversal flaw lets an already-authenticated low-privileged user escalate to higher privileges on the local machine. The CVSS 3.1 score of 7.8 reflects full confidentiality, integrity, and availability impact once triggered, though attack requires local access and existing low-level privileges. Reported by Microsoft with a patch available; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows Projected File System (ProjFS) driver lets an authenticated low-privileged attacker abuse a symbolic-link/junction race (CWE-59 link following) to redirect a privileged file operation and gain SYSTEM-level rights across Windows 10 (1809-22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2019/2022/2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Privilege escalation in Windows Remote Desktop Services (RDS) lets an authenticated, low-privileged attacker elevate to higher privileges across a network by triggering a use-after-free (CWE-416) memory-corruption condition in the RDS component. The flaw spans a broad range of supported Windows client and server releases (Windows 10/11 and Windows Server 2012 through 2025). Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local code execution in Microsoft Windows NTFS (the New Technology File System driver) arises from a heap-based buffer overflow that lets an attacker run arbitrary code with the privileges of the affected process. The flaw affects a broad swath of supported Windows client and server builds, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. Microsoft (the reporter) has shipped a patch; there is no public exploit identified at time of analysis, and the CVSS vector requires local access plus user interaction, so it is a privilege-escalation/code-execution primitive rather than a remotely-wormable bug.
Out-of-bounds read in Windows DWM Core Library allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows Kernel affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 (including Server Core), where an authorized attacker can exploit a use-after-free (CWE-416) memory-corruption condition to elevate privileges to SYSTEM. The flaw was reported by Microsoft, which has released a patch, and carries a CVSS 7.8 rating driven entirely by high confidentiality, integrity, and availability impact once local access is obtained. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local code execution in the Windows DirectX graphics component (CVE-2026-50382) lets an already-authenticated user run arbitrary code and, because the CVSS scope is Changed, break out of the calling security context to compromise the wider system. It affects a broad range of Windows client and server builds from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025. Microsoft has issued a patch; there is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Exposure of sensitive information to an unauthorized actor in Windows Cryptographic Services allows an authorized attacker to disclose information locally.
Local privilege escalation in the Windows OLE (Object Linking and Embedding) component allows an already-authenticated, low-privileged user on affected Windows and Windows Server builds to elevate to higher privileges through an improper authorization check (CWE-285). Microsoft has released a patch, and no public exploit has been identified at time of analysis. Impact is high across confidentiality, integrity, and availability, though exploitation requires prior local code execution.
Buffer over-read in Windows RDP allows an unauthorized attacker to disclose information over a network.