Windows Server 2025
Monthly
Local privilege escalation in the Windows Overlay Filter (WOF) driver allows an authenticated low-privileged user to elevate to SYSTEM by triggering a heap-based buffer overflow (CWE-122). The flaw spans a broad range of client and server SKUs from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 R2 through Server 2025. Microsoft has shipped a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Microsoft Windows Quality Windows Audio/Video Experience (QWAVE) service lets an already-authenticated, low-privileged user elevate to higher privileges by exploiting a use-after-free (CWE-416) memory-corruption condition. The flaw spans a broad range of builds from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis, and the CVSS 3.1 base score is 7.0 (AV:L/AC:H/PR:L).
Local privilege escalation in Windows Hyper-V (CWE-416 use-after-free) allows an authenticated attacker already running low-privileged code on an affected host to elevate to higher privileges, with full confidentiality, integrity, and availability impact. Reported by Microsoft and affecting a broad range of Windows 10, Windows 11, and Windows Server builds including Server 2019/2022/2025. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Denial of service in Microsoft Active Directory Federation Services (AD FS) allows a remote, unauthenticated attacker to crash the service by triggering a stack-based buffer overflow over the network (CVSS 7.5, availability-only impact). Because AD FS brokers single sign-on and federated authentication, a successful attack can knock out login for every downstream application that relies on it. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Denial of service in Microsoft Active Directory Federation Services (AD FS) lets a remote, unauthenticated attacker crash the service by triggering a stack-based buffer overflow (CWE-121) over the network. The flaw affects AD FS as shipped across a broad range of Windows client and server builds (Windows 10/11 and Windows Server 2012 through 2025). Microsoft - the reporting party - has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Microsoft Windows App Store component (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025) allows an authorized low-privileged attacker to win a race condition on an improperly synchronized shared resource and gain higher privileges. Exploitation is local-only and high-complexity because it depends on reliably hitting a narrow timing window, and no public exploit has been identified at time of analysis. A vendor patch is available via Microsoft's MSRC update guide.
Out-of-bounds read in Windows TCP/IP allows an authorized attacker to disclose information locally.
Missing authentication for critical function in Microsoft Windows DNS allows an authorized attacker to perform tampering locally.
Remote code execution in the Microsoft Windows FTP Service allows an unauthenticated network attacker to run arbitrary code by triggering a heap-based buffer overflow (CWE-122). The flaw affects the FTP service across a broad range of Windows 10, Windows 11, and Windows Server (2019/2022/2025) builds and carries a critical CVSS 9.8 rating with no authentication or user interaction required. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated, network-reachable nature of the bug makes it a high-priority patch target.
Local privilege escalation in Microsoft Windows DNS lets an already-authenticated, low-privileged attacker corrupt heap memory to gain higher (likely SYSTEM) privileges on affected Windows 10, Windows 11, and Windows Server 2022/2025 systems. The flaw is a heap-based buffer overflow (CWE-122) reported by Microsoft itself, with a vendor patch available via MSRC. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so it currently represents a patch-priority rather than an emergency.
Local privilege escalation in Microsoft Windows WalletService allows an authenticated low-privileged attacker to gain SYSTEM-level rights on the host, per CVSS:3.1 AV:L/AC:L/PR:L (7.8, High). The flaw stems from improper privilege management (CWE-269) in the WalletService component and affects a broad range of Windows client and server builds. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor patch from Microsoft is available.
Local privilege elevation in the Windows Speech component (Text-to-Speech / speech runtime) affects a broad range of Windows 10, Windows 11, and Windows Server releases, where a use-after-free (CWE-416) lets an already-authenticated local user corrupt memory to run code at higher privilege. Exploitation is non-trivial - it requires local access, low-level authentication, user interaction, and winning a memory-timing condition - and the CVSS 7.5 rating reflects a scope-changed, high-impact outcome. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, so this is a patch-on-cycle EoP rather than an emergency.
Local privilege escalation in the Windows StateRepository API lets an already-authenticated low-privileged user gain higher (typically SYSTEM-level) privileges due to insufficiently granular access control (CWE-1220). It affects a broad range of currently supported Windows client and server builds (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019/2022/2025). The flaw was reported by Microsoft, a vendor patch is available, and there is no public exploit identified at time of analysis (not listed in CISA KEV).
Remote code execution in the Windows Server 2025 DNS Server role allows a privileged, authenticated attacker to run arbitrary code over the network by triggering a use-after-free (CWE-416) memory-corruption condition. The flaw carries a CVSS 8.0 rating with a changed scope, meaning successful exploitation can affect resources beyond the vulnerable component. Microsoft has issued a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Integer overflow or wraparound in Windows Storage Spaces Direct allows an unauthorized attacker to elevate privileges with a physical attack.
Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.
Local privilege escalation in Microsoft Printer Drivers on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 allows an authenticated local attacker to gain SYSTEM-level privileges by triggering a use-after-free memory-corruption condition. The flaw grants full confidentiality, integrity, and availability impact (C:H/I:H/A:H) once low-level local access is obtained. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local information disclosure in the Microsoft Windows App Store (Store/AppX component) affects a broad range of Windows 10, Windows 11, and Windows Server releases (1607 through 26H1, Server 2016/2019/2022/2025). An authorized local attacker can leverage a use of uninitialized resource (CWE-908) to read memory contents that should not be exposed, with CVSS 7.1 reflecting high confidentiality impact but requiring low-privileged authenticated local access. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and Microsoft has released a patch via the MSRC update guide.
Remote code execution in Microsoft Active Directory Domain Services (AD DS) allows an unauthenticated network attacker to corrupt heap memory and run arbitrary code on affected domain controllers. The flaw (CVE-2026-49164, CVSS 8.1) spans a broad range of Windows client and server builds from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025, with full confidentiality, integrity, and availability impact. Microsoft has released a patch; there is no public exploit identified at time of analysis, and the high attack complexity (AC:H) tempers the practical exploitation likelihood.
Local privilege escalation in the Microsoft Brokering File System (bfs.sys/Bfs component) affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 (including Server Core), where a use-after-free (CWE-416) lets an already-authenticated local attacker corrupt kernel/broker memory to gain SYSTEM-level privileges. Exploitation requires low privileges but high attack complexity, and there is no public exploit identified at time of analysis. Microsoft has released a patch via its MSRC update guide.
Local privilege escalation in Microsoft Windows App Installer (the AppX/MSIX deployment component) lets a low-privileged but authenticated user corrupt memory via a use-after-free (CWE-416) and gain higher privileges on the host. The flaw affects Windows 11 (23H2, 24H2, 25H2, 26H1) and Windows Server 2025, was reported by Microsoft, and has a vendor patch available. There is no public exploit identified at time of analysis and it is not on CISA KEV, though the CVSS 7.0 rating and full C/I/A impact make it a meaningful patch-cycle priority.
Local privilege escalation in Windows App Installer (App Installer / MSIX handler) on Windows 11 (23H2 through 26H1) and Windows Server 2025 lets an already-authenticated local attacker win a timing race to elevate to higher privileges. The flaw stems from improper synchronization of a shared resource during concurrent execution, and Microsoft has released a patch. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Remote code execution in the Microsoft ODBC Driver for SQL Server (shipped across Windows 10, Windows 11, and Windows Server 2012 through 2025) stems from a heap-based buffer overflow that lets an attacker run arbitrary code over the network. The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) scores it 9.8 and marks it unauthenticated, though as a database driver flaw the realistic trigger is a client connecting to a malicious or compromised SQL Server endpoint. There is no public exploit identified at time of analysis and no CISA KEV listing, so this is a high-severity but not yet actively-exploited issue.
Remote code execution in the Windows Bluetooth Port Driver lets an adjacent, unauthenticated attacker corrupt heap memory to run arbitrary code on the target after minimal user interaction. The flaw (CWE-122 heap-based buffer overflow) affects a broad range of client and server SKUs from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through 2025, with full confidentiality, integrity, and availability impact (CVSS 8.0). There is no public exploit identified at time of analysis, but a vendor patch is available from Microsoft.
Privilege elevation in the Windows App Store component affects a broad range of Microsoft Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025), where a race condition (CWE-362) lets an unauthorized attacker win a timing window to gain elevated privileges over a network. The CVSS 3.1 score is 8.1 with a network vector and no authentication (PR:N), but high attack complexity (AC:H) reflects the difficulty of reliably winning the race. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; a vendor patch is available from Microsoft.
Cleartext transmission of sensitive information in Windows Ancillary Function Driver for WinSock allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows Media allows an authorized attacker to disclose information locally.
Local privilege escalation in Windows Secure Kernel Mode (SKM/VTL1) allows an already-authenticated attacker to elevate to higher privileges on affected Windows 10, Windows 11 (through 26H1), and Windows Server 2016-2025 systems. The flaw stems from improper consistency validation of input crossing the trust boundary into the isolated secure kernel (CWE-1288), yielding full confidentiality, integrity, and availability impact on the local host. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
BitLocker's protection mechanism on Windows fails to enforce a critical authentication or verification step, permitting a physically present attacker to bypass full-disk encryption without credentials, a recovery key, or elevated privileges. Despite a CVSS score of 6.8 (Medium) - moderated by the physical access requirement - the impact ratings are High across confidentiality, integrity, and availability, meaning successful exploitation grants complete access to encrypted data and the underlying system. No public exploit has been identified at time of analysis, and Microsoft has released a patch via the MSRC update guide.
Security feature bypass in Windows Secure Boot enables a local high-privileged attacker to defeat the platform's boot-time integrity protections, achieving high confidentiality and integrity impact across a changed security scope. The flaw stems from a protection mechanism failure (CWE-284, Improper Access Control) that undermines the trust boundary Secure Boot is designed to enforce. At the time of analysis, no public exploit has been identified and the issue is not listed in CISA KEV, but the scope-changed CVSS of 7.9 reflects the severity of subverting a root-of-trust security control.
Security feature bypass in Windows Secure Boot allows a high-privileged local attacker to circumvent the boot integrity protection mechanism, undermining trust in the Windows boot chain. The flaw (CWE-1329, reliance on a component that is not updateable) carries a CVSS 7.9 rating due to scope change and high impact on confidentiality and integrity, and no public exploit has been identified at time of analysis. Successful exploitation could enable pre-OS persistence such as bootkits, defeating a foundational Windows security control.
Secure Boot bypass in Microsoft Windows allows an authorized local attacker with high privileges to defeat the platform's protection mechanism and tamper with the pre-OS boot chain. The CVSS 7.9 score reflects a scope-changing impact on confidentiality and integrity from a local vector, and no public exploit identified at time of analysis. The single MSRC reference indicates a Microsoft-tracked issue that primarily threatens code-integrity and boot-trust guarantees rather than runtime availability.
Remote code execution in Microsoft Remote Desktop Client is possible via a heap-based buffer overflow that an unauthenticated remote attacker can trigger when a user is convinced to connect to a malicious RDP server. The flaw is rated CVSS 7.5 (High) with attack complexity High and required user interaction, and no public exploit identified at time of analysis. The CWE-416 classification combined with the vendor's tags points to a use-after-free condition reachable through crafted RDP server responses.
Remote code execution in Microsoft Remote Desktop Client is possible when a victim connects to an attacker-controlled or compromised RDP server, triggering a heap-based buffer overflow that leads to arbitrary code execution on the client machine. The flaw is unauthenticated from the server side but requires user interaction and high attack complexity, and no public exploit identified at time of analysis. CVSS is rated 7.5 (High) with confidentiality, integrity, and availability impact.
Remote code execution in Microsoft Remote Desktop Client occurs when a user connects to an attacker-controlled RDP server, allowing the server to corrupt heap memory and execute arbitrary code on the client endpoint. The flaw carries a CVSS 8.8 (High) rating reflecting network reach with required user interaction, and no public exploit is identified at time of analysis. The attack pivots the traditional RDP threat model - attackers compromise clients that initiate outbound connections rather than exposed servers.
Local code execution in Microsoft Windows Hyper-V stems from an out-of-bounds read condition (CWE-122 heap-based buffer overflow) that an attacker with high privileges on a guest or host context can leverage to break confidentiality, integrity, and availability boundaries. The CVSS 8.2 score is elevated by a scope change (S:C), indicating the flaw enables crossing the hypervisor isolation boundary. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Heap-based buffer overflow in Microsoft Remote Desktop Client enables remote code execution when a user connects to a malicious RDP server, with the attacker gaining the same privileges as the connecting user. The CVSS 8.8 score reflects network-reachable exploitation requiring only minimal user interaction (initiating an RDP session), and no public exploit has been identified at time of analysis. The flaw is reported by Microsoft Security Response Center (secure@microsoft.com) and is categorized as CWE-122 heap-based buffer overflow.
Security feature bypass in Microsoft Windows BitLocker allows an attacker with physical access to circumvent the drive encryption protection mechanism. Affected systems can have BitLocker-protected data accessed despite the encryption-at-rest control being enabled, undermining a core platform confidentiality boundary. There is no public exploit identified at time of analysis, but the vulnerability is reported by Microsoft (secure@microsoft.com) as a protection mechanism failure with high impact across confidentiality, integrity, and availability.
Secure Boot bypass on Microsoft Windows allows an authorized local attacker with high privileges to defeat a platform integrity protection mechanism, leading to compromise of confidentiality and integrity outside the original security boundary. The scope-changed CVSS 7.9 rating reflects that successful exploitation breaks out of the Secure Boot trust domain, though no public exploit is identified at time of analysis and the issue is not listed in CISA KEV. Microsoft (secure@microsoft.com) issued the advisory via MSRC, and the weakness is classified as improper access control (CWE-284).
Local privilege escalation in Microsoft Windows Kernel allows an authenticated low-privilege attacker to elevate to SYSTEM by triggering a use-after-free condition in kernel memory. The flaw carries a CVSS 7.0 rating with high attack complexity, and no public exploit identified at time of analysis. Exploitation requires a race condition or specific timing to be won, which constrains reliable weaponization but does not eliminate the risk on multi-user or shared Windows hosts.
Local code execution in Microsoft Windows Hyper-V allows an authenticated attacker on a guest or host to escape sandbox boundaries by triggering an out-of-bounds read condition (CWE-843, type confusion) in the hypervisor. The flaw affects Windows 10 (21H2/22H2), Windows 11 (23H2/24H2/25H2/26H1), and Windows Server 2022/2025, with a vendor-released patch available and no public exploit identified at time of analysis. EPSS scoring of 0.15% and SSVC exploitation status of 'none' suggest limited near-term exploitation likelihood despite total technical impact potential.
Information disclosure in Microsoft Windows Remote Desktop Protocol (RDP) allows remote unauthenticated attackers to read out-of-bounds memory over the network, potentially exposing sensitive data from the RDP service process. The flaw is reachable without authentication or user interaction across any exposed RDP endpoint, and no public exploit identified at time of analysis. Microsoft has assigned the issue a CVSS 3.1 score of 7.5 reflecting high confidentiality impact with no integrity or availability effect.
Local privilege escalation in the Windows Ancillary Function Driver (AFD.sys) for WinSock allows an authenticated low-privileged user to gain SYSTEM-level access through a use-after-free condition. The flaw was reported by Microsoft (MSRC) and carries a CVSS 7.8 score with high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the AFD.sys driver has a long history of similar bugs being weaponized post-disclosure.
Remote code execution in the Microsoft Windows Universal Plug and Play stack (upnp.dll) allows unauthenticated network attackers to execute arbitrary code on affected hosts by triggering a memory-safety flaw in the UPnP service. The issue carries a CVSS 3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N), reflecting network reachability without credentials but high attack complexity. At time of analysis there is no public exploit identified and the CVE is not listed in CISA KEV.
Out-of-bounds read in the Windows DHCP Server service enables a locally authenticated, low-privileged attacker to disclose contents of process memory on affected systems. The CVSS vector (AV:L/AC:L/PR:L/UI:N) confirms this is a local, low-complexity attack requiring only standard user privileges - no elevated rights or user interaction needed. Exploitation is constrained to hosts where the Windows DHCP Server role is actively installed and running, which significantly limits the attack surface to designated infrastructure servers rather than general workstations. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Out-of-bounds read in Windows DHCP Server exposes adjacent memory contents and can crash the service, yielding both information disclosure and a high-severity denial-of-service condition on affected Windows systems. The flaw (CWE-125) is exploitable locally with low attack complexity and no user interaction, targeting systems where the DHCP Server role is installed across a broad range of Windows 10, 11, and Server editions from 2012 through 2025. No public exploit has been identified at time of analysis, and Microsoft has released patched builds via the MSRC update guide (CVE-2026-45608).
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (afd.sys) allows an authenticated low-privileged user to elevate to SYSTEM by winning a race condition that triggers a use-after-free. The flaw is reported by Microsoft (MSRC) and carries CVSS 7.0 with high attack complexity, but no public exploit is identified at time of analysis and it is not listed in CISA KEV.
Remote tampering in Microsoft Windows DHCP Server allows unauthenticated network attackers to manipulate critical data with high confidentiality and integrity impact, as reflected by the 9.1 CVSS score. The vulnerability is reachable over the network without privileges or user interaction, and no public exploit identified at time of analysis. The combination of authentication bypass tagging and DHCP's role as a core network infrastructure service makes this a high-priority issue for any Windows environment running the DHCP Server role.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) allows an authenticated low-privileged attacker to win a race condition and gain SYSTEM-level execution. The flaw is a use-after-free triggered through concurrent WinSock operations, and at time of analysis no public exploit has been identified and the CVE is not on the CISA KEV list.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (afd.sys) allows an authenticated low-privileged user to win a race condition and trigger a use-after-free, enabling code execution at kernel level. No public exploit identified at time of analysis, but AFD.sys has a long history of being a preferred LPE target and Microsoft has marked the issue as important. EPSS data was not provided in the source feed.
Local code execution in Microsoft Windows Win32K GRFX (graphics) subsystem allows an attacker with low-privilege local access to run arbitrary code by triggering an integer overflow, after coaxing a user into interacting with a crafted graphics object. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, though Win32K bugs historically attract rapid exploit development for privilege escalation in post-compromise chains.
Local code execution in the Windows Win32K GRFX (graphics) subsystem allows an unauthorized attacker with the ability to run code locally to escalate privileges through an integer overflow. The flaw was reported by Microsoft (MSRC) and carries a CVSS 7.8, but requires user interaction (UI:R) and local access (AV:L), and no public exploit identified at time of analysis.
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library allows an authenticated low-privilege attacker to gain higher privileges through a use-after-free memory corruption flaw. The vulnerability carries a CVSS score of 7.8 with high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Successful exploitation typically yields SYSTEM-level code execution on the affected Windows host.
Remote code execution in Microsoft Remote Desktop Client is possible when a victim connects to an attacker-controlled RDP server, where a heap-based buffer overflow (linked to use-after-free memory corruption per vendor tags) enables arbitrary code execution on the client machine. The CVSS 7.5 score reflects high attack complexity and required user interaction, and no public exploit identified at time of analysis. SSVC assessment from CISA rates exploitation as 'none' and automatable as 'no', though technical impact is total.
Remote code execution in Microsoft Remote Desktop Client arises from a heap-based buffer overflow (CWE-122) that an unauthenticated network attacker can trigger when a victim connects to or interacts with a malicious server. Microsoft (secure@microsoft.com) is the originating reporter and has published an advisory in the MSRC update guide, with no public exploit identified at time of analysis. The CVSS 7.5 (High) rating reflects high attack complexity and required user interaction, but successful exploitation yields full confidentiality, integrity, and availability impact on the client host.
Remote code execution in Microsoft Remote Desktop Client is possible when a user is lured into connecting to an attacker-controlled RDP server, where a heap-based buffer overflow (CWE-122) can be triggered to run arbitrary code on the client machine. The flaw was reported by Microsoft (secure@microsoft.com) and carries a CVSS 3.1 score of 7.5, reflecting high attack complexity and the requirement for user interaction. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Remote code execution in Microsoft Remote Desktop Client is possible when a user is enticed to connect to an attacker-controlled RDP server, triggering a heap-based buffer overflow (CWE-122). The flaw scores CVSS 7.5 (AV:N/AC:H/PR:N/UI:R) and, while no public exploit is identified at time of analysis, the network-reachable nature and full CIA impact make it a meaningful client-side risk for users connecting to untrusted endpoints.
Local privilege escalation in the Microsoft Graphics Component allows an authenticated low-privileged attacker to gain elevated rights via a use-after-free memory corruption flaw (CWE-416). The issue carries a CVSS 7.8 (High) rating with full confidentiality, integrity, and availability impact on the affected host. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Remote code execution in Microsoft Remote Desktop Client is possible when a victim connects to an attacker-controlled or compromised RDP server, triggering a heap-based buffer overflow that runs attacker code in the client's context. The flaw (CWE-416 use-after-free / heap corruption) carries CVSS 8.8 and requires user interaction, with no public exploit identified at time of analysis. A vendor patch is available via Microsoft MSRC.
Remote code execution in Microsoft Windows Performance Monitor (PerfMon) allows unauthenticated network-based attackers to execute arbitrary code by triggering an integer underflow condition. The flaw carries a CVSS 3.1 score of 8.1 driven by high impact across confidentiality, integrity, and availability, though high attack complexity (AC:H) tempers exploitability. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but Microsoft has released a patch via MSRC guidance.
Windows Push Notifications contains a use-of-uninitialized-resource flaw (CWE-200) that enables a locally authenticated attacker to read sensitive information from memory without elevation of privilege. Affecting a wide range of Windows 10, Windows 11, and Windows Server builds, the vulnerability requires only low-privilege local access and no user interaction to trigger. No public exploit code has been identified at time of analysis, and CISA SSVC rates exploitation as none with partial technical impact, placing this in a lower-urgency remediation band despite the High confidentiality rating in the CVSS vector.
Windows Push Notifications on multiple Windows 10, Windows 11, and Windows Server versions exposes sensitive memory contents through an uninitialized resource condition, allowing a low-privileged local user to read high-confidentiality data without any user interaction. The CVSS vector (AV:L/PR:L) confirms this is strictly a local privilege issue - no remote attack path exists - limiting its practical blast radius to insider threats and post-compromise lateral reconnaissance. No public exploit has been identified at time of analysis, and Microsoft has released patches addressing all listed affected versions.
Windows Push Notifications contains a use-of-uninitialized-resource flaw (CWE-200) that enables authenticated local attackers to disclose sensitive information across a wide breadth of Microsoft Windows desktop and server platforms. Spanning Windows 10 through Windows 11 25H2 and Windows Server 2012 through Server 2025, the vulnerability carries a CVSS 5.5 Medium score with high confidentiality impact (C:H) but no integrity or availability impact. Microsoft has released patches via the June 2026 Patch Tuesday cycle; no public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Local privilege escalation in the Windows NT OS Kernel allows an authenticated low-privileged user to elevate to higher privileges through an integer underflow condition. The flaw carries a CVSS 7.8 (High) rating with no public exploit identified at time of analysis, but Microsoft has issued a patch via MSRC. Defenders should treat this as a standard Patch-Tuesday-class kernel EoP that becomes a critical post-compromise pivot once initial access is achieved.
Denial-of-service in the Windows TCP/IP stack allows an authenticated attacker on an adjacent network to crash the networking subsystem of affected Windows hosts via an incorrect buffer size calculation. Affected systems span Windows 10 (21H2, 22H2), Windows 11 (23H2 through 26H1), Windows Server 2022, and Windows Server 2025 - all unpatched builds within Microsoft-documented version ranges. No public exploit identified at time of analysis, though Microsoft has released fixes addressable via Windows Update; the vulnerability is not listed in the CISA KEV catalog.
Windows Kerberos out-of-bounds read (CWE-125) allows a low-privilege network attacker to crash the Kerberos authentication service across all actively supported Windows client and server platforms, from Windows Server 2012 through Windows Server 2025 and Windows 11 26H1. The attack requires prior domain authentication and high-complexity triggering conditions (CVSS AC:H), limiting opportunistic mass exploitation, though a successful attack against a domain controller can deny authentication domain-wide by crashing the KDC. Vendor patches are available via the Microsoft MSRC advisory; no public exploit code exists and SSVC confirms no observed exploitation at time of analysis.
Remote code execution in Microsoft Remote Desktop Client is possible when a user connects to an attacker-controlled RDP server, where a heap-based buffer overflow triggered by a race condition (CWE-362) allows arbitrary code execution on the client machine. The flaw carries a CVSS 7.5 (High) rating with high attack complexity and required user interaction, and no public exploit identified at time of analysis. Microsoft has released a patch via MSRC advisory CVE-2026-42913.
Remote code execution in Microsoft Remote Desktop Client is possible when a user connects to an attacker-controlled or compromised RDP endpoint, where a race condition (CWE-362) can be triggered to corrupt heap memory and execute arbitrary code in the client process. The flaw is unauthenticated from the network attacker's perspective but requires user interaction to initiate the connection, and no public exploit has been identified at time of analysis.
Information disclosure in Windows Shell exposes sensitive data to authenticated low-privileged attackers, with a confirmed vendor patch available. The vulnerability stems from CWE-200 improper information exposure within the Windows Shell component, allowing confidentiality compromise with no integrity or availability impact. No public exploit code or CISA KEV listing has been identified at time of analysis, but the high confidentiality impact score (C:H) and low attack complexity elevate practical concern for environments where lateral movement or credential harvesting are threat vectors.
Local privilege escalation in the Windows Projected File System (ProjFS) Filter Driver allows an authenticated low-privileged user on a Windows host to escalate to higher privileges by triggering a buffer over-read in the kernel-mode driver. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the CVSS 7.8 with low attack complexity and no user interaction makes it an attractive post-compromise target for endpoint operators.
Untrusted pointer dereference in Windows Kernel allows an authorized attacker to elevate privileges locally.
Local privilege escalation in Windows Kernel across Windows 10, Windows 11 (versions 22H3 through 26H1), and Windows Server 2022 allows authenticated local attackers to gain SYSTEM-level privileges through heap corruption. Microsoft has released patches addressing this CWE-122 heap-based buffer overflow. EPSS data not available for risk quantification, and no CISA KEV listing indicates exploitation has not been publicly confirmed, though the vulnerability's low attack complexity (AC:L) and minimal prerequisites (PR:L) make it attractive for post-compromise privilege escalation in targeted attacks.
Remote code execution in Windows RRAS across Server 2016, 2022, and 2025 via an integer overflow vulnerability allows authenticated attackers to execute arbitrary code over the network with high privileges. Public exploit code exists for this vulnerability, and no patch is currently available. Authenticated users with network access can trigger the vulnerability through a simple interaction to gain complete system compromise.
Untrusted search path in Windows GDI allows an unauthorized attacker to execute code locally. [CVSS 7.8 HIGH]
Privilege escalation in Windows Telephony Service through heap buffer overflow affects Windows 10 1607, Windows 11 25h2, and Windows Server 2012, allowing adjacent network attackers to gain elevated system access without authentication. The vulnerability has a high CVSS score of 8.8 but currently lacks a patch, creating significant risk for exposed systems. Exploitation requires network proximity but no user interaction.
Unauthorized disclosure of sensitive information in Windows Accessibility Infrastructure (ATBroker.exe) affects Windows Server 2019, 2025, Windows 10 22h2, and Windows 11 25h2, allowing local authenticated attackers to read confidential data. The vulnerability requires user privileges and local access but poses no risk to system integrity or availability. No patch is currently available for this issue.
Windows Shell Link Processing leaks sensitive information over the network in Windows Server 2012, 2019, and 2022, enabling remote spoofing attacks without authentication or user interaction. An unauthenticated attacker can exploit this information disclosure to conduct spoofing attacks against affected systems. No patch is currently available.
Information disclosure in Windows GDI+ affects Windows 11 (24h2, 25h2) and Windows Server 2012/2016, allowing unauthenticated attackers to read sensitive data remotely through an out-of-bounds memory access vulnerability. The flaw requires no user interaction and can be exploited over the network to compromise confidentiality without modifying system data or availability. No patch is currently available for this high-severity vulnerability.
Windows Ancillary Function Driver for WinSock in Windows Server 2025, 2022, and Windows 10 1809 contains insufficient input validation that allows authenticated local users to escalate privileges. An attacker with local access and valid credentials can exploit this vulnerability to gain elevated system permissions, though no patch is currently available. This HIGH severity vulnerability affects multiple Windows Server and client versions with no active exploit mitigation path.
Windows Ancillary Function Driver for WinSock (AFD) in Windows 11 versions 24h2 and 26h1 contains a use-after-free vulnerability (CWE-416) that allows authenticated local attackers to escalate privileges through memory corruption. An attacker with local access could exploit this flaw to gain elevated system permissions, though no official patch is currently available.
Privilege escalation in Windows Active Directory Domain Services (AD DS) across Windows 11, Windows 10, and Windows Server platforms allows authenticated network attackers to gain elevated privileges by exploiting improper validation of resource naming restrictions. An attacker with valid domain credentials can leverage this vulnerability to escalate their access level without user interaction. Currently, no patch is available, leaving all affected Windows versions vulnerable.
Windows Ancillary Function Driver for WinSock in Windows 10 (all versions) and Windows 11 contains an access control weakness that enables authenticated local attackers to escalate privileges to system level. An attacker with standard user credentials can exploit this flaw to gain elevated rights on affected systems. No patch is currently available for this vulnerability.
Windows Extensible File Allocation (exFAT) contains an out-of-bounds read vulnerability affecting Windows Server 2022, Windows 10 1607, and Windows 11 versions 23h2/25h2, enabling authenticated local users to escalate privileges with high impact on confidentiality, integrity, and availability. The vulnerability requires local access and user-level privileges to exploit, with no patch currently available. This flaw carries a CVSS score of 7.8 and affects multiple supported Windows versions across server and client platforms.
Remote code execution in Windows RRAS affects Windows 10 1607 and Windows Server 2022 23h2 through an integer overflow vulnerability exploitable by authenticated network attackers. Public exploit code exists for this vulnerability, enabling authenticated users to execute arbitrary code with high integrity and confidentiality impact. No patch is currently available, making this a critical exposure for affected Windows environments.
Remote code execution in Windows Routing and Remote Access Service (RRAS) across Windows Server 2012, 2022, and 2022 23h2 stems from an integer overflow vulnerability that authenticated network attackers can exploit with user interaction. Public exploit code exists for this vulnerability, enabling attackers to achieve arbitrary code execution with high impact on confidentiality, integrity, and availability. No patch is currently available.
Privilege escalation in Windows Authentication Methods (Windows 10 22H2, Windows 11 26H1) stems from a use-after-free memory vulnerability that allows authenticated local attackers to gain elevated system privileges. The flaw requires low user privileges and manual interaction but provides complete system compromise through code execution. No patch is currently available for this high-severity vulnerability.
Use after free in Windows Hyper-V allows an authorized attacker to elevate privileges locally. [CVSS 7.0 HIGH]
A division by zero flaw in the Microsoft Graphics Component on Windows 10 and Windows 11 systems enables local attackers to trigger a denial of service condition without requiring special privileges or user interaction. The vulnerability affects multiple Windows versions including Windows 10 1607, 22h2 and Windows 11 25h2, 26h1, with no patch currently available.
Microsoft Graphics Component on Windows 10 21H2, Windows Server 2016, and Windows 11 25H2 is vulnerable to a null pointer dereference that enables local denial of service attacks. An attacker with local access can trigger the vulnerability without requiring elevated privileges or user interaction to crash the graphics component and render the system unavailable. No patch is currently available for this medium-severity vulnerability.
Privilege escalation in Microsoft's Brokering File System on Windows 11 (24h2 and 25h2) stems from a use-after-free vulnerability that allows local attackers to gain elevated system privileges. An attacker with local access can exploit memory corruption to execute arbitrary code with higher privileges, potentially compromising system integrity. No patch is currently available for this vulnerability.
Local privilege escalation in the Windows Overlay Filter (WOF) driver allows an authenticated low-privileged user to elevate to SYSTEM by triggering a heap-based buffer overflow (CWE-122). The flaw spans a broad range of client and server SKUs from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 R2 through Server 2025. Microsoft has shipped a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Microsoft Windows Quality Windows Audio/Video Experience (QWAVE) service lets an already-authenticated, low-privileged user elevate to higher privileges by exploiting a use-after-free (CWE-416) memory-corruption condition. The flaw spans a broad range of builds from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis, and the CVSS 3.1 base score is 7.0 (AV:L/AC:H/PR:L).
Local privilege escalation in Windows Hyper-V (CWE-416 use-after-free) allows an authenticated attacker already running low-privileged code on an affected host to elevate to higher privileges, with full confidentiality, integrity, and availability impact. Reported by Microsoft and affecting a broad range of Windows 10, Windows 11, and Windows Server builds including Server 2019/2022/2025. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Denial of service in Microsoft Active Directory Federation Services (AD FS) allows a remote, unauthenticated attacker to crash the service by triggering a stack-based buffer overflow over the network (CVSS 7.5, availability-only impact). Because AD FS brokers single sign-on and federated authentication, a successful attack can knock out login for every downstream application that relies on it. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Denial of service in Microsoft Active Directory Federation Services (AD FS) lets a remote, unauthenticated attacker crash the service by triggering a stack-based buffer overflow (CWE-121) over the network. The flaw affects AD FS as shipped across a broad range of Windows client and server builds (Windows 10/11 and Windows Server 2012 through 2025). Microsoft - the reporting party - has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Microsoft Windows App Store component (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025) allows an authorized low-privileged attacker to win a race condition on an improperly synchronized shared resource and gain higher privileges. Exploitation is local-only and high-complexity because it depends on reliably hitting a narrow timing window, and no public exploit has been identified at time of analysis. A vendor patch is available via Microsoft's MSRC update guide.
Out-of-bounds read in Windows TCP/IP allows an authorized attacker to disclose information locally.
Missing authentication for critical function in Microsoft Windows DNS allows an authorized attacker to perform tampering locally.
Remote code execution in the Microsoft Windows FTP Service allows an unauthenticated network attacker to run arbitrary code by triggering a heap-based buffer overflow (CWE-122). The flaw affects the FTP service across a broad range of Windows 10, Windows 11, and Windows Server (2019/2022/2025) builds and carries a critical CVSS 9.8 rating with no authentication or user interaction required. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated, network-reachable nature of the bug makes it a high-priority patch target.
Local privilege escalation in Microsoft Windows DNS lets an already-authenticated, low-privileged attacker corrupt heap memory to gain higher (likely SYSTEM) privileges on affected Windows 10, Windows 11, and Windows Server 2022/2025 systems. The flaw is a heap-based buffer overflow (CWE-122) reported by Microsoft itself, with a vendor patch available via MSRC. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so it currently represents a patch-priority rather than an emergency.
Local privilege escalation in Microsoft Windows WalletService allows an authenticated low-privileged attacker to gain SYSTEM-level rights on the host, per CVSS:3.1 AV:L/AC:L/PR:L (7.8, High). The flaw stems from improper privilege management (CWE-269) in the WalletService component and affects a broad range of Windows client and server builds. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor patch from Microsoft is available.
Local privilege elevation in the Windows Speech component (Text-to-Speech / speech runtime) affects a broad range of Windows 10, Windows 11, and Windows Server releases, where a use-after-free (CWE-416) lets an already-authenticated local user corrupt memory to run code at higher privilege. Exploitation is non-trivial - it requires local access, low-level authentication, user interaction, and winning a memory-timing condition - and the CVSS 7.5 rating reflects a scope-changed, high-impact outcome. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, so this is a patch-on-cycle EoP rather than an emergency.
Local privilege escalation in the Windows StateRepository API lets an already-authenticated low-privileged user gain higher (typically SYSTEM-level) privileges due to insufficiently granular access control (CWE-1220). It affects a broad range of currently supported Windows client and server builds (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019/2022/2025). The flaw was reported by Microsoft, a vendor patch is available, and there is no public exploit identified at time of analysis (not listed in CISA KEV).
Remote code execution in the Windows Server 2025 DNS Server role allows a privileged, authenticated attacker to run arbitrary code over the network by triggering a use-after-free (CWE-416) memory-corruption condition. The flaw carries a CVSS 8.0 rating with a changed scope, meaning successful exploitation can affect resources beyond the vulnerable component. Microsoft has issued a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Integer overflow or wraparound in Windows Storage Spaces Direct allows an unauthorized attacker to elevate privileges with a physical attack.
Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.
Local privilege escalation in Microsoft Printer Drivers on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 allows an authenticated local attacker to gain SYSTEM-level privileges by triggering a use-after-free memory-corruption condition. The flaw grants full confidentiality, integrity, and availability impact (C:H/I:H/A:H) once low-level local access is obtained. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local information disclosure in the Microsoft Windows App Store (Store/AppX component) affects a broad range of Windows 10, Windows 11, and Windows Server releases (1607 through 26H1, Server 2016/2019/2022/2025). An authorized local attacker can leverage a use of uninitialized resource (CWE-908) to read memory contents that should not be exposed, with CVSS 7.1 reflecting high confidentiality impact but requiring low-privileged authenticated local access. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and Microsoft has released a patch via the MSRC update guide.
Remote code execution in Microsoft Active Directory Domain Services (AD DS) allows an unauthenticated network attacker to corrupt heap memory and run arbitrary code on affected domain controllers. The flaw (CVE-2026-49164, CVSS 8.1) spans a broad range of Windows client and server builds from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025, with full confidentiality, integrity, and availability impact. Microsoft has released a patch; there is no public exploit identified at time of analysis, and the high attack complexity (AC:H) tempers the practical exploitation likelihood.
Local privilege escalation in the Microsoft Brokering File System (bfs.sys/Bfs component) affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 (including Server Core), where a use-after-free (CWE-416) lets an already-authenticated local attacker corrupt kernel/broker memory to gain SYSTEM-level privileges. Exploitation requires low privileges but high attack complexity, and there is no public exploit identified at time of analysis. Microsoft has released a patch via its MSRC update guide.
Local privilege escalation in Microsoft Windows App Installer (the AppX/MSIX deployment component) lets a low-privileged but authenticated user corrupt memory via a use-after-free (CWE-416) and gain higher privileges on the host. The flaw affects Windows 11 (23H2, 24H2, 25H2, 26H1) and Windows Server 2025, was reported by Microsoft, and has a vendor patch available. There is no public exploit identified at time of analysis and it is not on CISA KEV, though the CVSS 7.0 rating and full C/I/A impact make it a meaningful patch-cycle priority.
Local privilege escalation in Windows App Installer (App Installer / MSIX handler) on Windows 11 (23H2 through 26H1) and Windows Server 2025 lets an already-authenticated local attacker win a timing race to elevate to higher privileges. The flaw stems from improper synchronization of a shared resource during concurrent execution, and Microsoft has released a patch. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Remote code execution in the Microsoft ODBC Driver for SQL Server (shipped across Windows 10, Windows 11, and Windows Server 2012 through 2025) stems from a heap-based buffer overflow that lets an attacker run arbitrary code over the network. The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) scores it 9.8 and marks it unauthenticated, though as a database driver flaw the realistic trigger is a client connecting to a malicious or compromised SQL Server endpoint. There is no public exploit identified at time of analysis and no CISA KEV listing, so this is a high-severity but not yet actively-exploited issue.
Remote code execution in the Windows Bluetooth Port Driver lets an adjacent, unauthenticated attacker corrupt heap memory to run arbitrary code on the target after minimal user interaction. The flaw (CWE-122 heap-based buffer overflow) affects a broad range of client and server SKUs from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through 2025, with full confidentiality, integrity, and availability impact (CVSS 8.0). There is no public exploit identified at time of analysis, but a vendor patch is available from Microsoft.
Privilege elevation in the Windows App Store component affects a broad range of Microsoft Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025), where a race condition (CWE-362) lets an unauthorized attacker win a timing window to gain elevated privileges over a network. The CVSS 3.1 score is 8.1 with a network vector and no authentication (PR:N), but high attack complexity (AC:H) reflects the difficulty of reliably winning the race. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; a vendor patch is available from Microsoft.
Cleartext transmission of sensitive information in Windows Ancillary Function Driver for WinSock allows an authorized attacker to disclose information locally.
Exposure of sensitive information to an unauthorized actor in Windows Media allows an authorized attacker to disclose information locally.
Local privilege escalation in Windows Secure Kernel Mode (SKM/VTL1) allows an already-authenticated attacker to elevate to higher privileges on affected Windows 10, Windows 11 (through 26H1), and Windows Server 2016-2025 systems. The flaw stems from improper consistency validation of input crossing the trust boundary into the isolated secure kernel (CWE-1288), yielding full confidentiality, integrity, and availability impact on the local host. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
BitLocker's protection mechanism on Windows fails to enforce a critical authentication or verification step, permitting a physically present attacker to bypass full-disk encryption without credentials, a recovery key, or elevated privileges. Despite a CVSS score of 6.8 (Medium) - moderated by the physical access requirement - the impact ratings are High across confidentiality, integrity, and availability, meaning successful exploitation grants complete access to encrypted data and the underlying system. No public exploit has been identified at time of analysis, and Microsoft has released a patch via the MSRC update guide.
Security feature bypass in Windows Secure Boot enables a local high-privileged attacker to defeat the platform's boot-time integrity protections, achieving high confidentiality and integrity impact across a changed security scope. The flaw stems from a protection mechanism failure (CWE-284, Improper Access Control) that undermines the trust boundary Secure Boot is designed to enforce. At the time of analysis, no public exploit has been identified and the issue is not listed in CISA KEV, but the scope-changed CVSS of 7.9 reflects the severity of subverting a root-of-trust security control.
Security feature bypass in Windows Secure Boot allows a high-privileged local attacker to circumvent the boot integrity protection mechanism, undermining trust in the Windows boot chain. The flaw (CWE-1329, reliance on a component that is not updateable) carries a CVSS 7.9 rating due to scope change and high impact on confidentiality and integrity, and no public exploit has been identified at time of analysis. Successful exploitation could enable pre-OS persistence such as bootkits, defeating a foundational Windows security control.
Secure Boot bypass in Microsoft Windows allows an authorized local attacker with high privileges to defeat the platform's protection mechanism and tamper with the pre-OS boot chain. The CVSS 7.9 score reflects a scope-changing impact on confidentiality and integrity from a local vector, and no public exploit identified at time of analysis. The single MSRC reference indicates a Microsoft-tracked issue that primarily threatens code-integrity and boot-trust guarantees rather than runtime availability.
Remote code execution in Microsoft Remote Desktop Client is possible via a heap-based buffer overflow that an unauthenticated remote attacker can trigger when a user is convinced to connect to a malicious RDP server. The flaw is rated CVSS 7.5 (High) with attack complexity High and required user interaction, and no public exploit identified at time of analysis. The CWE-416 classification combined with the vendor's tags points to a use-after-free condition reachable through crafted RDP server responses.
Remote code execution in Microsoft Remote Desktop Client is possible when a victim connects to an attacker-controlled or compromised RDP server, triggering a heap-based buffer overflow that leads to arbitrary code execution on the client machine. The flaw is unauthenticated from the server side but requires user interaction and high attack complexity, and no public exploit identified at time of analysis. CVSS is rated 7.5 (High) with confidentiality, integrity, and availability impact.
Remote code execution in Microsoft Remote Desktop Client occurs when a user connects to an attacker-controlled RDP server, allowing the server to corrupt heap memory and execute arbitrary code on the client endpoint. The flaw carries a CVSS 8.8 (High) rating reflecting network reach with required user interaction, and no public exploit is identified at time of analysis. The attack pivots the traditional RDP threat model - attackers compromise clients that initiate outbound connections rather than exposed servers.
Local code execution in Microsoft Windows Hyper-V stems from an out-of-bounds read condition (CWE-122 heap-based buffer overflow) that an attacker with high privileges on a guest or host context can leverage to break confidentiality, integrity, and availability boundaries. The CVSS 8.2 score is elevated by a scope change (S:C), indicating the flaw enables crossing the hypervisor isolation boundary. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Heap-based buffer overflow in Microsoft Remote Desktop Client enables remote code execution when a user connects to a malicious RDP server, with the attacker gaining the same privileges as the connecting user. The CVSS 8.8 score reflects network-reachable exploitation requiring only minimal user interaction (initiating an RDP session), and no public exploit has been identified at time of analysis. The flaw is reported by Microsoft Security Response Center (secure@microsoft.com) and is categorized as CWE-122 heap-based buffer overflow.
Security feature bypass in Microsoft Windows BitLocker allows an attacker with physical access to circumvent the drive encryption protection mechanism. Affected systems can have BitLocker-protected data accessed despite the encryption-at-rest control being enabled, undermining a core platform confidentiality boundary. There is no public exploit identified at time of analysis, but the vulnerability is reported by Microsoft (secure@microsoft.com) as a protection mechanism failure with high impact across confidentiality, integrity, and availability.
Secure Boot bypass on Microsoft Windows allows an authorized local attacker with high privileges to defeat a platform integrity protection mechanism, leading to compromise of confidentiality and integrity outside the original security boundary. The scope-changed CVSS 7.9 rating reflects that successful exploitation breaks out of the Secure Boot trust domain, though no public exploit is identified at time of analysis and the issue is not listed in CISA KEV. Microsoft (secure@microsoft.com) issued the advisory via MSRC, and the weakness is classified as improper access control (CWE-284).
Local privilege escalation in Microsoft Windows Kernel allows an authenticated low-privilege attacker to elevate to SYSTEM by triggering a use-after-free condition in kernel memory. The flaw carries a CVSS 7.0 rating with high attack complexity, and no public exploit identified at time of analysis. Exploitation requires a race condition or specific timing to be won, which constrains reliable weaponization but does not eliminate the risk on multi-user or shared Windows hosts.
Local code execution in Microsoft Windows Hyper-V allows an authenticated attacker on a guest or host to escape sandbox boundaries by triggering an out-of-bounds read condition (CWE-843, type confusion) in the hypervisor. The flaw affects Windows 10 (21H2/22H2), Windows 11 (23H2/24H2/25H2/26H1), and Windows Server 2022/2025, with a vendor-released patch available and no public exploit identified at time of analysis. EPSS scoring of 0.15% and SSVC exploitation status of 'none' suggest limited near-term exploitation likelihood despite total technical impact potential.
Information disclosure in Microsoft Windows Remote Desktop Protocol (RDP) allows remote unauthenticated attackers to read out-of-bounds memory over the network, potentially exposing sensitive data from the RDP service process. The flaw is reachable without authentication or user interaction across any exposed RDP endpoint, and no public exploit identified at time of analysis. Microsoft has assigned the issue a CVSS 3.1 score of 7.5 reflecting high confidentiality impact with no integrity or availability effect.
Local privilege escalation in the Windows Ancillary Function Driver (AFD.sys) for WinSock allows an authenticated low-privileged user to gain SYSTEM-level access through a use-after-free condition. The flaw was reported by Microsoft (MSRC) and carries a CVSS 7.8 score with high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the AFD.sys driver has a long history of similar bugs being weaponized post-disclosure.
Remote code execution in the Microsoft Windows Universal Plug and Play stack (upnp.dll) allows unauthenticated network attackers to execute arbitrary code on affected hosts by triggering a memory-safety flaw in the UPnP service. The issue carries a CVSS 3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N), reflecting network reachability without credentials but high attack complexity. At time of analysis there is no public exploit identified and the CVE is not listed in CISA KEV.
Out-of-bounds read in the Windows DHCP Server service enables a locally authenticated, low-privileged attacker to disclose contents of process memory on affected systems. The CVSS vector (AV:L/AC:L/PR:L/UI:N) confirms this is a local, low-complexity attack requiring only standard user privileges - no elevated rights or user interaction needed. Exploitation is constrained to hosts where the Windows DHCP Server role is actively installed and running, which significantly limits the attack surface to designated infrastructure servers rather than general workstations. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Out-of-bounds read in Windows DHCP Server exposes adjacent memory contents and can crash the service, yielding both information disclosure and a high-severity denial-of-service condition on affected Windows systems. The flaw (CWE-125) is exploitable locally with low attack complexity and no user interaction, targeting systems where the DHCP Server role is installed across a broad range of Windows 10, 11, and Server editions from 2012 through 2025. No public exploit has been identified at time of analysis, and Microsoft has released patched builds via the MSRC update guide (CVE-2026-45608).
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (afd.sys) allows an authenticated low-privileged user to elevate to SYSTEM by winning a race condition that triggers a use-after-free. The flaw is reported by Microsoft (MSRC) and carries CVSS 7.0 with high attack complexity, but no public exploit is identified at time of analysis and it is not listed in CISA KEV.
Remote tampering in Microsoft Windows DHCP Server allows unauthenticated network attackers to manipulate critical data with high confidentiality and integrity impact, as reflected by the 9.1 CVSS score. The vulnerability is reachable over the network without privileges or user interaction, and no public exploit identified at time of analysis. The combination of authentication bypass tagging and DHCP's role as a core network infrastructure service makes this a high-priority issue for any Windows environment running the DHCP Server role.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) allows an authenticated low-privileged attacker to win a race condition and gain SYSTEM-level execution. The flaw is a use-after-free triggered through concurrent WinSock operations, and at time of analysis no public exploit has been identified and the CVE is not on the CISA KEV list.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (afd.sys) allows an authenticated low-privileged user to win a race condition and trigger a use-after-free, enabling code execution at kernel level. No public exploit identified at time of analysis, but AFD.sys has a long history of being a preferred LPE target and Microsoft has marked the issue as important. EPSS data was not provided in the source feed.
Local code execution in Microsoft Windows Win32K GRFX (graphics) subsystem allows an attacker with low-privilege local access to run arbitrary code by triggering an integer overflow, after coaxing a user into interacting with a crafted graphics object. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, though Win32K bugs historically attract rapid exploit development for privilege escalation in post-compromise chains.
Local code execution in the Windows Win32K GRFX (graphics) subsystem allows an unauthorized attacker with the ability to run code locally to escalate privileges through an integer overflow. The flaw was reported by Microsoft (MSRC) and carries a CVSS 7.8, but requires user interaction (UI:R) and local access (AV:L), and no public exploit identified at time of analysis.
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library allows an authenticated low-privilege attacker to gain higher privileges through a use-after-free memory corruption flaw. The vulnerability carries a CVSS score of 7.8 with high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Successful exploitation typically yields SYSTEM-level code execution on the affected Windows host.
Remote code execution in Microsoft Remote Desktop Client is possible when a victim connects to an attacker-controlled RDP server, where a heap-based buffer overflow (linked to use-after-free memory corruption per vendor tags) enables arbitrary code execution on the client machine. The CVSS 7.5 score reflects high attack complexity and required user interaction, and no public exploit identified at time of analysis. SSVC assessment from CISA rates exploitation as 'none' and automatable as 'no', though technical impact is total.
Remote code execution in Microsoft Remote Desktop Client arises from a heap-based buffer overflow (CWE-122) that an unauthenticated network attacker can trigger when a victim connects to or interacts with a malicious server. Microsoft (secure@microsoft.com) is the originating reporter and has published an advisory in the MSRC update guide, with no public exploit identified at time of analysis. The CVSS 7.5 (High) rating reflects high attack complexity and required user interaction, but successful exploitation yields full confidentiality, integrity, and availability impact on the client host.
Remote code execution in Microsoft Remote Desktop Client is possible when a user is lured into connecting to an attacker-controlled RDP server, where a heap-based buffer overflow (CWE-122) can be triggered to run arbitrary code on the client machine. The flaw was reported by Microsoft (secure@microsoft.com) and carries a CVSS 3.1 score of 7.5, reflecting high attack complexity and the requirement for user interaction. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Remote code execution in Microsoft Remote Desktop Client is possible when a user is enticed to connect to an attacker-controlled RDP server, triggering a heap-based buffer overflow (CWE-122). The flaw scores CVSS 7.5 (AV:N/AC:H/PR:N/UI:R) and, while no public exploit is identified at time of analysis, the network-reachable nature and full CIA impact make it a meaningful client-side risk for users connecting to untrusted endpoints.
Local privilege escalation in the Microsoft Graphics Component allows an authenticated low-privileged attacker to gain elevated rights via a use-after-free memory corruption flaw (CWE-416). The issue carries a CVSS 7.8 (High) rating with full confidentiality, integrity, and availability impact on the affected host. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Remote code execution in Microsoft Remote Desktop Client is possible when a victim connects to an attacker-controlled or compromised RDP server, triggering a heap-based buffer overflow that runs attacker code in the client's context. The flaw (CWE-416 use-after-free / heap corruption) carries CVSS 8.8 and requires user interaction, with no public exploit identified at time of analysis. A vendor patch is available via Microsoft MSRC.
Remote code execution in Microsoft Windows Performance Monitor (PerfMon) allows unauthenticated network-based attackers to execute arbitrary code by triggering an integer underflow condition. The flaw carries a CVSS 3.1 score of 8.1 driven by high impact across confidentiality, integrity, and availability, though high attack complexity (AC:H) tempers exploitability. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but Microsoft has released a patch via MSRC guidance.
Windows Push Notifications contains a use-of-uninitialized-resource flaw (CWE-200) that enables a locally authenticated attacker to read sensitive information from memory without elevation of privilege. Affecting a wide range of Windows 10, Windows 11, and Windows Server builds, the vulnerability requires only low-privilege local access and no user interaction to trigger. No public exploit code has been identified at time of analysis, and CISA SSVC rates exploitation as none with partial technical impact, placing this in a lower-urgency remediation band despite the High confidentiality rating in the CVSS vector.
Windows Push Notifications on multiple Windows 10, Windows 11, and Windows Server versions exposes sensitive memory contents through an uninitialized resource condition, allowing a low-privileged local user to read high-confidentiality data without any user interaction. The CVSS vector (AV:L/PR:L) confirms this is strictly a local privilege issue - no remote attack path exists - limiting its practical blast radius to insider threats and post-compromise lateral reconnaissance. No public exploit has been identified at time of analysis, and Microsoft has released patches addressing all listed affected versions.
Windows Push Notifications contains a use-of-uninitialized-resource flaw (CWE-200) that enables authenticated local attackers to disclose sensitive information across a wide breadth of Microsoft Windows desktop and server platforms. Spanning Windows 10 through Windows 11 25H2 and Windows Server 2012 through Server 2025, the vulnerability carries a CVSS 5.5 Medium score with high confidentiality impact (C:H) but no integrity or availability impact. Microsoft has released patches via the June 2026 Patch Tuesday cycle; no public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Local privilege escalation in the Windows NT OS Kernel allows an authenticated low-privileged user to elevate to higher privileges through an integer underflow condition. The flaw carries a CVSS 7.8 (High) rating with no public exploit identified at time of analysis, but Microsoft has issued a patch via MSRC. Defenders should treat this as a standard Patch-Tuesday-class kernel EoP that becomes a critical post-compromise pivot once initial access is achieved.
Denial-of-service in the Windows TCP/IP stack allows an authenticated attacker on an adjacent network to crash the networking subsystem of affected Windows hosts via an incorrect buffer size calculation. Affected systems span Windows 10 (21H2, 22H2), Windows 11 (23H2 through 26H1), Windows Server 2022, and Windows Server 2025 - all unpatched builds within Microsoft-documented version ranges. No public exploit identified at time of analysis, though Microsoft has released fixes addressable via Windows Update; the vulnerability is not listed in the CISA KEV catalog.
Windows Kerberos out-of-bounds read (CWE-125) allows a low-privilege network attacker to crash the Kerberos authentication service across all actively supported Windows client and server platforms, from Windows Server 2012 through Windows Server 2025 and Windows 11 26H1. The attack requires prior domain authentication and high-complexity triggering conditions (CVSS AC:H), limiting opportunistic mass exploitation, though a successful attack against a domain controller can deny authentication domain-wide by crashing the KDC. Vendor patches are available via the Microsoft MSRC advisory; no public exploit code exists and SSVC confirms no observed exploitation at time of analysis.
Remote code execution in Microsoft Remote Desktop Client is possible when a user connects to an attacker-controlled RDP server, where a heap-based buffer overflow triggered by a race condition (CWE-362) allows arbitrary code execution on the client machine. The flaw carries a CVSS 7.5 (High) rating with high attack complexity and required user interaction, and no public exploit identified at time of analysis. Microsoft has released a patch via MSRC advisory CVE-2026-42913.
Remote code execution in Microsoft Remote Desktop Client is possible when a user connects to an attacker-controlled or compromised RDP endpoint, where a race condition (CWE-362) can be triggered to corrupt heap memory and execute arbitrary code in the client process. The flaw is unauthenticated from the network attacker's perspective but requires user interaction to initiate the connection, and no public exploit has been identified at time of analysis.
Information disclosure in Windows Shell exposes sensitive data to authenticated low-privileged attackers, with a confirmed vendor patch available. The vulnerability stems from CWE-200 improper information exposure within the Windows Shell component, allowing confidentiality compromise with no integrity or availability impact. No public exploit code or CISA KEV listing has been identified at time of analysis, but the high confidentiality impact score (C:H) and low attack complexity elevate practical concern for environments where lateral movement or credential harvesting are threat vectors.
Local privilege escalation in the Windows Projected File System (ProjFS) Filter Driver allows an authenticated low-privileged user on a Windows host to escalate to higher privileges by triggering a buffer over-read in the kernel-mode driver. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the CVSS 7.8 with low attack complexity and no user interaction makes it an attractive post-compromise target for endpoint operators.
Untrusted pointer dereference in Windows Kernel allows an authorized attacker to elevate privileges locally.
Local privilege escalation in Windows Kernel across Windows 10, Windows 11 (versions 22H3 through 26H1), and Windows Server 2022 allows authenticated local attackers to gain SYSTEM-level privileges through heap corruption. Microsoft has released patches addressing this CWE-122 heap-based buffer overflow. EPSS data not available for risk quantification, and no CISA KEV listing indicates exploitation has not been publicly confirmed, though the vulnerability's low attack complexity (AC:L) and minimal prerequisites (PR:L) make it attractive for post-compromise privilege escalation in targeted attacks.
Remote code execution in Windows RRAS across Server 2016, 2022, and 2025 via an integer overflow vulnerability allows authenticated attackers to execute arbitrary code over the network with high privileges. Public exploit code exists for this vulnerability, and no patch is currently available. Authenticated users with network access can trigger the vulnerability through a simple interaction to gain complete system compromise.
Untrusted search path in Windows GDI allows an unauthorized attacker to execute code locally. [CVSS 7.8 HIGH]
Privilege escalation in Windows Telephony Service through heap buffer overflow affects Windows 10 1607, Windows 11 25h2, and Windows Server 2012, allowing adjacent network attackers to gain elevated system access without authentication. The vulnerability has a high CVSS score of 8.8 but currently lacks a patch, creating significant risk for exposed systems. Exploitation requires network proximity but no user interaction.
Unauthorized disclosure of sensitive information in Windows Accessibility Infrastructure (ATBroker.exe) affects Windows Server 2019, 2025, Windows 10 22h2, and Windows 11 25h2, allowing local authenticated attackers to read confidential data. The vulnerability requires user privileges and local access but poses no risk to system integrity or availability. No patch is currently available for this issue.
Windows Shell Link Processing leaks sensitive information over the network in Windows Server 2012, 2019, and 2022, enabling remote spoofing attacks without authentication or user interaction. An unauthenticated attacker can exploit this information disclosure to conduct spoofing attacks against affected systems. No patch is currently available.
Information disclosure in Windows GDI+ affects Windows 11 (24h2, 25h2) and Windows Server 2012/2016, allowing unauthenticated attackers to read sensitive data remotely through an out-of-bounds memory access vulnerability. The flaw requires no user interaction and can be exploited over the network to compromise confidentiality without modifying system data or availability. No patch is currently available for this high-severity vulnerability.
Windows Ancillary Function Driver for WinSock in Windows Server 2025, 2022, and Windows 10 1809 contains insufficient input validation that allows authenticated local users to escalate privileges. An attacker with local access and valid credentials can exploit this vulnerability to gain elevated system permissions, though no patch is currently available. This HIGH severity vulnerability affects multiple Windows Server and client versions with no active exploit mitigation path.
Windows Ancillary Function Driver for WinSock (AFD) in Windows 11 versions 24h2 and 26h1 contains a use-after-free vulnerability (CWE-416) that allows authenticated local attackers to escalate privileges through memory corruption. An attacker with local access could exploit this flaw to gain elevated system permissions, though no official patch is currently available.
Privilege escalation in Windows Active Directory Domain Services (AD DS) across Windows 11, Windows 10, and Windows Server platforms allows authenticated network attackers to gain elevated privileges by exploiting improper validation of resource naming restrictions. An attacker with valid domain credentials can leverage this vulnerability to escalate their access level without user interaction. Currently, no patch is available, leaving all affected Windows versions vulnerable.
Windows Ancillary Function Driver for WinSock in Windows 10 (all versions) and Windows 11 contains an access control weakness that enables authenticated local attackers to escalate privileges to system level. An attacker with standard user credentials can exploit this flaw to gain elevated rights on affected systems. No patch is currently available for this vulnerability.
Windows Extensible File Allocation (exFAT) contains an out-of-bounds read vulnerability affecting Windows Server 2022, Windows 10 1607, and Windows 11 versions 23h2/25h2, enabling authenticated local users to escalate privileges with high impact on confidentiality, integrity, and availability. The vulnerability requires local access and user-level privileges to exploit, with no patch currently available. This flaw carries a CVSS score of 7.8 and affects multiple supported Windows versions across server and client platforms.
Remote code execution in Windows RRAS affects Windows 10 1607 and Windows Server 2022 23h2 through an integer overflow vulnerability exploitable by authenticated network attackers. Public exploit code exists for this vulnerability, enabling authenticated users to execute arbitrary code with high integrity and confidentiality impact. No patch is currently available, making this a critical exposure for affected Windows environments.
Remote code execution in Windows Routing and Remote Access Service (RRAS) across Windows Server 2012, 2022, and 2022 23h2 stems from an integer overflow vulnerability that authenticated network attackers can exploit with user interaction. Public exploit code exists for this vulnerability, enabling attackers to achieve arbitrary code execution with high impact on confidentiality, integrity, and availability. No patch is currently available.
Privilege escalation in Windows Authentication Methods (Windows 10 22H2, Windows 11 26H1) stems from a use-after-free memory vulnerability that allows authenticated local attackers to gain elevated system privileges. The flaw requires low user privileges and manual interaction but provides complete system compromise through code execution. No patch is currently available for this high-severity vulnerability.
Use after free in Windows Hyper-V allows an authorized attacker to elevate privileges locally. [CVSS 7.0 HIGH]
A division by zero flaw in the Microsoft Graphics Component on Windows 10 and Windows 11 systems enables local attackers to trigger a denial of service condition without requiring special privileges or user interaction. The vulnerability affects multiple Windows versions including Windows 10 1607, 22h2 and Windows 11 25h2, 26h1, with no patch currently available.
Microsoft Graphics Component on Windows 10 21H2, Windows Server 2016, and Windows 11 25H2 is vulnerable to a null pointer dereference that enables local denial of service attacks. An attacker with local access can trigger the vulnerability without requiring elevated privileges or user interaction to crash the graphics component and render the system unavailable. No patch is currently available for this medium-severity vulnerability.
Privilege escalation in Microsoft's Brokering File System on Windows 11 (24h2 and 25h2) stems from a use-after-free vulnerability that allows local attackers to gain elevated system privileges. An attacker with local access can exploit memory corruption to execute arbitrary code with higher privileges, potentially compromising system integrity. No patch is currently available for this vulnerability.