Skip to main content

Windows Server 2025

1235 CVEs product

Monthly

CVE-2026-25165 HIGH PATCH This Week

Privilege escalation in Windows Performance Counters via null pointer dereference affects Windows Server 2019 and Windows 11 systems, enabling authenticated local attackers to gain elevated privileges. The vulnerability impacts systems where users have standard account access, allowing them to escalate to higher privilege levels on affected machines. No patch is currently available.

Null Pointer Dereference Microsoft Denial Of Service Windows Server 2019 Windows 11 26h1 +13
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-24296 HIGH PATCH This Week

Privilege escalation in Windows Device Association Service (Windows 10 versions 1607, 1809, and 21H2) stems from improper synchronization of shared resources, enabling local authenticated users to gain elevated system privileges. The vulnerability requires high attack complexity and no user interaction, making it exploitable by insiders or compromised local accounts. No patch is currently available.

Race Condition Microsoft Information Disclosure Windows Server 2022 23h2 Windows Server 2019 +13
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-24295 HIGH PATCH This Week

Privilege escalation in Windows Device Association Service across Windows 10, 11, and Server 2022 stems from improper synchronization of shared resources, enabling local authenticated users to gain elevated system privileges. The vulnerability requires local access and specific timing conditions but poses high risk due to its impact on confidentiality, integrity, and availability. No patch is currently available.

Race Condition Microsoft Information Disclosure Windows Server 2022 23h2 Windows 11 24h2 +12
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-24294 HIGH PATCH This Week

Windows SMB Server authentication bypass across multiple versions (Windows 10 1607, Windows 11 23h2, Windows Server 2012/2025) permits authenticated local users to escalate privileges with high impact to confidentiality, integrity, and availability. The vulnerability stems from improper authentication validation in the SMB service, allowing a local attacker to gain system-level access without user interaction. No patch is currently available, leaving affected systems vulnerable to privilege escalation attacks from any authenticated user.

Microsoft Authentication Bypass Windows 10 1607 Windows 10 1809 Windows 10 21h2 +11
NVD VulDB GitHub
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-24293 HIGH PATCH This Week

Privilege escalation in Windows Ancillary Function Driver for WinSock affects Windows 11 24H2, Windows Server 2022, and Windows Server 2025, allowing authenticated local attackers to gain system-level access through null pointer dereference. The vulnerability requires valid user credentials and local access but no user interaction to exploit. No patch is currently available.

Null Pointer Dereference Microsoft Denial Of Service Windows Server 2022 Windows 11 24h2 +7
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-24292 HIGH PATCH This Week

Privilege escalation in Windows Connected Devices Platform Service (Cdpsvc) exploits a use-after-free memory vulnerability, affecting Windows 10 22h2 and Windows 11 (25h2, 26h1). An authenticated local attacker can leverage this flaw to gain system-level privileges on vulnerable systems. No patch is currently available for this high-severity vulnerability.

Use After Free Denial Of Service Memory Corruption Windows 10 22h2 Windows 11 25h2 +10
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-24291 HIGH PATCH This Week

Privilege escalation in Windows Accessibility Infrastructure (ATBroker.exe) across Windows 10, Windows 11, and Windows Server 2022 stems from improper permission assignments on a critical resource. A local authenticated attacker can exploit this misconfiguration to gain elevated privileges without user interaction. No patch is currently available for this vulnerability.

Information Disclosure Microsoft Windows Server 2022 Windows 11 25h2 Windows 11 23h2 +12
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-24290 HIGH PATCH This Week

Windows Projected File System in Windows 11 and Server 2022 contains improper access control that enables authenticated local users to escalate privileges to system level. An attacker with valid credentials can exploit this vulnerability to gain elevated permissions without user interaction. Currently, no patch is available to address this issue.

Microsoft Authentication Bypass Windows 11 24h2 Windows Server 2022 23h2 Windows 11 26h1 +9
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-24289 HIGH PATCH This Week

Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. [CVSS 7.8 HIGH]

Use After Free Microsoft Denial Of Service Memory Corruption Windows 10 22h2 +13
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-24287 HIGH PATCH This Week

Windows Kernel path traversal vulnerability in Server 2025, Server 2022, Windows 11 24h2, and Windows 10 22h2 enables authenticated local attackers to achieve full system compromise through privilege escalation. The flaw allows an authorized user to manipulate file name or path parameters, bypassing access controls and gaining kernel-level privileges. No patch is currently available.

Information Disclosure Microsoft Windows Server 2025 Windows 11 24h2 Windows Server 2022 23h2 +9
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-24283 HIGH PATCH This Week

Privilege escalation in Windows 11 (24h2, 26h1) and Windows Server 2022 (23h2) via heap overflow allows authenticated local users to gain system-level access. The vulnerability requires valid credentials but no user interaction, making it a direct path to complete system compromise. No patch is currently available.

Buffer Overflow Heap Overflow Microsoft Windows 11 24h2 Windows 11 26h1 +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-23674 HIGH PATCH This Week

Windows MapUrlToZone security bypass in Windows 11 24H2, Windows 10 21H2, and Windows Server 2016/2025 allows unauthenticated remote attackers to circumvent zone-based security restrictions through improper path equivalence resolution. An attacker can exploit this network-accessible vulnerability without user interaction to bypass intended access controls. No patch is currently available for this high-severity vulnerability.

Microsoft Authentication Bypass Windows 11 24h2 Windows 10 21h2 Windows Server 2025 +12
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-23673 HIGH PATCH This Week

Windows ReFS contains an out-of-bounds read vulnerability affecting Server 2019, 2022, 2025, and Windows 11 26h1 that enables authenticated local users to escalate privileges with high impact to confidentiality, integrity, and availability. The vulnerability requires low attack complexity and no user interaction, making it exploitable by any authenticated user on the system. No patch is currently available for this HIGH severity issue.

Information Disclosure Microsoft Buffer Overflow Windows Server 2019 Windows Server 2025 +13
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-23672 HIGH PATCH This Week

Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability [CVSS 7.8 HIGH]

Information Disclosure Buffer Overflow Microsoft Windows 11 25h2 Windows Server 2019 +13
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23671 HIGH PATCH This Week

Privilege escalation in the Windows Bluetooth RFCOM Protocol Driver across Windows 11 26h1, Windows Server 2025, and Windows 10 1809 stems from improper synchronization of concurrent access to shared resources. An authenticated local attacker can exploit this race condition to gain elevated privileges on affected systems. No patch is currently available for this vulnerability.

Race Condition Information Disclosure Microsoft Windows 11 26h1 Windows Server 2025 +12
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-21519 HIGH KEV PATCH THREAT Act Now

Desktop Window Manager (DWM) in Windows contains a type confusion vulnerability (CVE-2026-21519, CVSS 7.8) that enables authorized local attackers to escalate privileges. KEV-listed, this kernel-level vulnerability in the Windows compositor allows any authenticated user to achieve SYSTEM-level access through exploitation of an incompatible type access in DWM's resource handling.

Buffer Overflow Windows 11 24h2 Windows 11 23h2 Windows 10 21h2 Windows Server 2022 23h2 +9
NVD VulDB
CVSS 3.1
7.8
EPSS
3.1%
CVE-2026-21510 HIGH POC KEV PATCH THREAT Act Now

Windows Shell contains a protection mechanism failure (CVE-2026-21510, CVSS 8.8) that allows unauthenticated remote attackers to bypass security features over a network. KEV-listed, this vulnerability in the core Windows Shell component enables remote code execution by circumventing security boundaries designed to prevent execution of untrusted content received from the network.

Windows Windows 11 23h2 Windows Server 2016 Windows 10 21h2 Windows Server 2025 +10
NVD VulDB GitHub
CVSS 3.1
8.8
EPSS
3.8%
CVE-2026-21508 HIGH PATCH This Week

Windows Storage component contains an authentication bypass that enables authenticated local users to escalate privileges on Windows 10, Windows 11, and Windows Server 2016/2019 systems. An attacker with valid local credentials can exploit this vulnerability to gain elevated system access without user interaction. No patch is currently available for this HIGH severity issue affecting multiple Windows versions.

Windows Windows 10 1809 Windows Server 2016 Windows 11 24h2 Windows 10 1607 +10
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-21255 HIGH PATCH This Week

Windows Hyper-V fails to properly enforce access controls, enabling local authenticated users to circumvent security features and gain unauthorized system access. This high-severity flaw affects Windows 10, Windows 11, Windows Server 2022, and Hyper-V implementations, allowing privileged attackers to escalate privileges across system boundaries. No patch is currently available for this vulnerability.

Windows Hyper-V Windows 10 1607 Windows 11 25h2 Windows Server 2022 +10
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-21251 HIGH PATCH This Week

Privilege escalation in Windows Cluster Client Failover exploits a use-after-free memory vulnerability, enabling authenticated local users to gain elevated system privileges. The flaw affects Windows Server 2016, 2019, and 2025 installations where an attacker with existing local access can trigger the vulnerability through the failover clustering component. No patch is currently available for this high-severity vulnerability.

Windows Use After Free Windows Server 2019 Windows Server 2025 Windows Server 2016 +3
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-21250 HIGH POC PATCH This Week

Windows HTTP.sys contains an unsafe pointer dereference vulnerability that enables authenticated local attackers to escalate privileges on affected systems including Windows 11, Windows Server 2025, and related versions. An attacker with local user access can exploit this flaw to gain system-level privileges with high confidence in successful exploitation. No patch is currently available for this vulnerability.

Windows Windows Server 2025 Windows 11 24h2 Windows Server 2022 23h2 Windows 11 25h2 +1
NVD Exploit-DB VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-21248 HIGH POC PATCH This Week

Heap overflow in Windows Hyper-V enables authenticated local users to achieve arbitrary code execution with high privileges on affected Windows and Windows Server systems. An attacker with local access and user-level permissions can trigger memory corruption through user interaction to compromise system integrity and confidentiality. This vulnerability affects Windows 10 1809, Windows Server 2025, and related Hyper-V implementations with no patch currently available.

Windows Hyper-V Buffer Overflow Heap Overflow Windows Server 2025 +12
NVD Exploit-DB VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-21247 HIGH PATCH This Week

Improper input validation in Windows Hyper-V allows an authorized attacker to execute code locally. [CVSS 7.3 HIGH]

Windows Hyper-V Windows 11 24h2 Windows 10 22h2 Windows Server 2022 +10
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-21246 HIGH PATCH This Week

Privilege escalation in Microsoft Graphics Component on Windows 11 24H2 and Windows 10 21H2 exploits a heap buffer overflow to allow authenticated local attackers to gain system-level access. The vulnerability requires local access and user interaction is not required, presenting a significant risk in multi-user environments. No patch is currently available.

Microsoft Industrial Buffer Overflow Heap Overflow Windows 11 24h2 +12
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-21245 HIGH PATCH This Week

Windows Kernel heap overflow in Windows 11 25h2 and Windows Server 2025 enables authenticated local attackers to achieve privilege escalation with high impact on confidentiality, integrity, and availability. The vulnerability requires local access and user privileges but no user interaction, making it a practical attack vector for lateral movement within systems. No patch is currently available, leaving affected systems exposed until remediation is released.

Linux Windows Buffer Overflow Heap Overflow Windows 11 25h2 +3
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-21244 HIGH POC PATCH This Week

Heap overflow in Windows Hyper-V enables authenticated local users to achieve arbitrary code execution with high privileges (CVSS 7.3). Exploitation requires user interaction and local system access, affecting Windows 10 1809 and Windows Server 2025. No patch is currently available.

Windows Hyper-V Buffer Overflow Heap Overflow Windows 10 1809 +12
NVD Exploit-DB VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-21243 HIGH PATCH This Week

Windows LDAP service in Server 2022 and 2022 23H2 is vulnerable to denial of service through a null pointer dereference that can be triggered remotely without authentication. An attacker can exploit this flaw over the network to crash the LDAP service and disrupt directory access functionality. No patch is currently available for this vulnerability.

Windows LDAP Null Pointer Dereference Windows Server 2022 Windows Server 2022 23h2 +3
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-21242 HIGH PATCH This Week

Windows Subsystem for Linux contains a use-after-free vulnerability that enables local privilege escalation for authenticated users. An attacker with valid local access could exploit this memory safety flaw to gain elevated system privileges on affected Windows Server 2022 systems.

Linux Windows Use After Free Windows Server 2022 Windows Server 2022 23h2 +7
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-21241 HIGH PATCH This Week

Windows Ancillary Function Driver for WinSock in Windows 11 23h2 and Windows Server 2022 23h2 contains a use-after-free vulnerability that allows authenticated local users to achieve privilege escalation. An attacker with local access and valid credentials can trigger the memory safety flaw to gain elevated system privileges. No patch is currently available for this HIGH severity vulnerability.

Windows Use After Free Windows Server 2022 23h2 Windows 11 23h2 Windows Server 2022 +4
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-21240 HIGH PATCH This Week

Windows HTTP.sys contains a race condition between privilege checks and resource access that enables local authenticated users to escalate privileges on Windows 10 21H2, Windows 11 23H2, and Windows Server 2025. An attacker with valid credentials can exploit this timing vulnerability to gain system-level access. No patch is currently available for this vulnerability.

Windows Race Condition Windows 10 21h2 Windows 11 23h2 Windows Server 2025 +8
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-21239 HIGH PATCH This Week

Privilege escalation via heap buffer overflow in Windows Kernel (Windows 10 21H2, Windows Server 2016) allows authenticated local users to gain elevated system privileges. The vulnerability requires local access and user-level permissions, making it exploitable by authorized account holders to bypass security boundaries. No patch is currently available for this issue.

Linux Windows Buffer Overflow Heap Overflow Windows 10 21h2 +13
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-21238 HIGH PATCH This Week

Privilege escalation in the Windows Ancillary Function Driver for WinSock affects Windows 11 and Windows Server 2022/2019, allowing authenticated local users to gain elevated system privileges. The vulnerability stems from improper access control mechanisms and currently lacks a patch. An authenticated attacker with local access can exploit this to achieve full system compromise.

Windows Windows 11 23h2 Windows Server 2022 23h2 Windows 11 25h2 Windows Server 2019 +10
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-21237 HIGH PATCH This Week

Local privilege escalation in Windows Subsystem for Linux affects Windows 11 23h2 and Windows 10 22h2 through a race condition in shared resource synchronization. An authenticated local attacker can exploit this vulnerability to gain elevated privileges on the system. No patch is currently available for this vulnerability.

Linux Windows Race Condition Windows 11 23h2 Windows 10 22h2 +7
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-21236 HIGH PATCH This Week

Windows Ancillary Function Driver for WinSock contains a heap buffer overflow vulnerability that enables authenticated local users to achieve privilege escalation on affected Windows 10 and Server 2012 systems. An attacker with valid user credentials can exploit this memory corruption flaw to execute arbitrary code with elevated privileges. No patch is currently available for this vulnerability.

Windows Buffer Overflow Heap Overflow Windows 10 1607 Windows 10 21h2 +12
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-21234 HIGH PATCH This Week

Local privilege escalation in Windows Connected Devices Platform Service exploits a race condition in resource synchronization, allowing authenticated attackers to gain elevated privileges on affected Windows systems including Server 2022, Windows 11 25h2, and Windows 10 21h2. The vulnerability requires local access and user interaction is not needed, making it a practical attack vector for users with standard privileges. No patch is currently available.

Windows Race Condition Windows Server 2022 Windows 11 25h2 Windows 10 21h2 +8
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-21232 HIGH PATCH This Week

Windows HTTP.sys contains an untrusted pointer dereference vulnerability that enables authenticated local users to escalate privileges on Windows 11 and Windows Server 2022/2025 systems. An attacker with valid credentials can exploit this flaw to gain elevated access without user interaction. No patch is currently available for this HIGH severity issue affecting multiple Windows versions.

Windows Windows 11 25h2 Windows Server 2022 23h2 Windows 11 24h2 Windows Server 2025 +2
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-21231 HIGH PATCH This Week

Windows Kernel privilege escalation vulnerability in Windows 10 21H2 and Windows Server 2012 stems from improper synchronization of concurrent access to shared resources, enabling local authenticated users to gain elevated system privileges. The race condition can be triggered without user interaction and impacts confidentiality, integrity, and availability of the affected system. No patch is currently available.

Linux Windows Race Condition Windows 10 21h2 Windows Server 2012 +12
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-21222 MEDIUM PATCH This Month

Windows Kernel inadvertently logs sensitive information accessible to authenticated local users, enabling information disclosure attacks. This medium-severity vulnerability affects Windows 10 22H2, Windows 11 23H2, and 24H2, as well as Linux systems, allowing authorized attackers with local access to retrieve confidential data. No patch is currently available for this issue.

Linux Windows Windows 10 22h2 Windows 11 24h2 Windows 11 23h2 +10
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20846 HIGH PATCH This Week

Buffer over-read in Windows GDI+ allows an unauthorized attacker to deny service over a network. [CVSS 7.5 HIGH]

Windows Buffer Overflow Windows 11 23h2 Windows 11 24h2 Windows Server 2012 +11
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-21265 MEDIUM PATCH This Month

Windows Secure Boot stores Microsoft certificates in the UEFI KEK and DB. [CVSS 6.4 MEDIUM]

Microsoft Windows Windows 10 22h2 Windows 10 1607 Windows 11 25h2 +10
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-21221 HIGH PATCH This Week

Privilege escalation in Windows 11 and Windows Server 2025 Capability Access Management Service results from a race condition in resource synchronization, enabling authenticated local users to gain elevated system privileges. The vulnerability affects multiple recent Windows versions (24h2 and 25h2) and currently lacks a patch. No public exploit code has been disclosed, though the attack requires local access and moderate complexity to execute.

Race Condition Windows 11 24h2 Windows 11 25h2 Windows Server 2025 Microsoft
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-20962 MEDIUM PATCH This Month

Uninitialized memory in the Dynamic Root of Trust for Measurement (DRTM) component of Windows 11 25h2, Windows Server 2019, Windows 10 22h2, Windows 10 1809, and Windows 11 23h2 allows a high-privileged local attacker to read sensitive information from kernel memory. The vulnerability requires administrative or equivalent privileges to exploit and carries no patch availability. This issue is tracked under CWE-908 with a CVSS score of 4.4.

Information Disclosure Windows 11 25h2 Windows Server 2019 Windows 10 22h2 Windows 10 1809 +7
NVD
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-20941 HIGH PATCH This Week

Privilege escalation in Windows Task Host Process affects Windows 11 and Server 2025 through unsafe symbolic link handling, allowing authenticated local users to gain elevated system privileges. An attacker with standard user access can exploit improper link resolution to bypass access controls and execute arbitrary actions with SYSTEM-level permissions. Currently no patch is available for this vulnerability.

Windows Windows Server 2025 Windows 11 25h2 Windows 11 24h2 Microsoft
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20939 MEDIUM PATCH This Month

Windows File Explorer information disclosure affects Windows 10 and 11 systems, allowing local authenticated attackers to access sensitive data through improper access controls. The vulnerability requires valid user credentials and local system access, posing a risk in multi-user or shared computing environments where sensitive files may be exposed to other authorized users.

Windows Windows Server 2022 23h2 Windows 11 24h2 Windows 10 21h2 Windows 10 1607 +9
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20937 MEDIUM PATCH This Month

Windows File Explorer improperly restricts access to sensitive information, enabling authenticated local users to read confidential data without authorization. This vulnerability affects Windows 10 across multiple versions (1607, 1809, 21H2, 22H2) and requires valid user credentials and local system access to exploit. Currently, no patch is available to remediate this information disclosure issue.

Windows Windows Server 2022 Windows 10 21h2 Windows 10 22h2 Windows 10 1607 +9
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20936 MEDIUM PATCH This Month

Information disclosure in Windows NDIS allows a privileged local attacker with physical access to read sensitive kernel memory regions on Windows 10 and Windows 11 systems. The vulnerability requires both authentication and direct hardware interaction, limiting its practical exploitation to scenarios where an attacker has already compromised system access. No patch is currently available for affected Windows versions including 10 (21h2, 22h2) and 11 (25h2).

Windows Windows 10 22h2 Windows 10 21h2 Windows 11 25h2 Windows Server 2012 +11
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-20934 HIGH PATCH This Week

Privilege escalation in Windows SMB Server (Server 2025, Windows 11 24H2, Windows 10 22H2) stems from improper synchronization of shared resources during concurrent execution, enabling authenticated network attackers to gain elevated privileges. The vulnerability requires high complexity exploitation but carries high impact across confidentiality, integrity, and availability. No patch is currently available.

Windows Race Condition Windows Server 2025 Windows 11 24h2 Windows 10 22h2 +11
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-20932 MEDIUM PATCH This Month

Windows File Explorer information disclosure allows local authenticated users to access sensitive data without authorization. This medium-severity vulnerability affects multiple Windows versions including Windows 11 (24h2 and 25h2), Windows 10 1809, and Windows Server 2019, but no patch is currently available.

Windows Windows 11 24h2 Windows Server 2019 Windows 11 25h2 Windows 10 1809 +9
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20927 MEDIUM PATCH This Month

Windows SMB Server denial of service via race condition affects Windows 10 21h2, Windows 11 24h2, and Windows Server 2022, allowing authenticated attackers to disrupt service availability through improper synchronization of shared resources. The vulnerability requires network access and specific conditions to trigger but carries no patch availability at this time. Impact is limited to availability with no confidentiality or integrity compromise.

Windows Race Condition Windows Server 2022 Windows 11 24h2 Windows 10 21h2 +12
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-20926 HIGH PATCH This Week

Privilege escalation in Windows SMB Server (versions 10 22h2, 11 23h2, and 11 25h2) stems from improper synchronization of shared resources, allowing authenticated network attackers to elevate privileges. The race condition vulnerability requires specific timing conditions but carries high impact across confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

Windows Race Condition Windows 11 23h2 Windows 11 25h2 Windows 10 22h2 +11
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-20925 MEDIUM PATCH This Month

Windows NTLM authentication across multiple Windows versions (10, Server 2008/2019) allows remote attackers to manipulate file name or path parameters without authentication, enabling network-based identity spoofing attacks. The vulnerability requires user interaction and has no available patch, affecting systems still running older Windows Server editions alongside current Windows 10 releases. An attacker could impersonate legitimate services or users to compromise trust in networked communications.

Windows Windows 10 22h2 Windows Server 2008 Windows 10 1607 Windows Server 2019 +11
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-20924 HIGH PATCH This Week

Privilege escalation in Windows Management Services via use-after-free memory corruption affects Windows 10, Windows 11, and Windows Server 2019, enabling authenticated local attackers to gain elevated system privileges. An authorized user can exploit this vulnerability through a race condition to execute arbitrary code with higher privileges. No patch is currently available for this vulnerability.

Windows Use After Free Windows 11 25h2 Windows Server 2019 Windows 10 22h2 +8
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20923 HIGH PATCH This Week

Privilege escalation in Windows Management Services affects Windows Server 2019, 2022 23h2, and 2025 through a use-after-free vulnerability that allows authenticated local attackers to gain elevated system privileges. The flaw requires low privileges and manual user interaction to trigger, potentially giving attackers complete system control. No patch is currently available for this vulnerability.

Windows Use After Free Windows Server 2022 23h2 Windows Server 2025 Windows Server 2019 +8
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20922 HIGH PATCH This Week

Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. [CVSS 7.8 HIGH]

Windows Buffer Overflow Heap Overflow Windows 10 1607 Windows 11 25h2 +13
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20919 HIGH PATCH This Week

Windows SMB Server contains a race condition in concurrent resource handling that enables authenticated network attackers to escalate privileges on affected systems including Windows 10 22H2, Windows 10 1607, and Windows Server 2025. The vulnerability requires low attack complexity and network access from an authenticated user, but carries high impact across confidentiality, integrity, and availability. No patch is currently available for this HIGH severity issue (CVSS 7.5).

Windows Race Condition Windows 10 22h2 Windows Server 2025 Windows 10 1607 +11
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-20918 HIGH PATCH This Week

Windows Management Services on Windows 10 and 11 contains a race condition in shared resource synchronization that enables authenticated local users to escalate privileges to system level. The vulnerability affects multiple Windows versions including 22h2, 21h2, and 25h2 builds, with no patch currently available.

Windows Race Condition Windows 11 25h2 Windows 10 22h2 Windows 10 21h2 +8
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20877 HIGH PATCH This Week

Privilege escalation in Windows Management Services affects Windows 10 22h2, Windows Server 2022 23h2, and Windows 11 23h2 through a use-after-free memory flaw. An authenticated local attacker can exploit this vulnerability to gain elevated system privileges. Currently, no patch is available.

Windows Use After Free Windows 10 22h2 Windows Server 2022 23h2 Windows 11 23h2 +8
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20876 MEDIUM PATCH This Month

Privilege escalation in Windows Virtualization-Based Security (VBS) Enclave affects Windows 11 and Windows Server 2022 through a heap-based buffer overflow in memory management. An authenticated local attacker with high privileges can exploit this vulnerability to gain unauthorized system-level access. No patch is currently available for this medium-severity vulnerability (CVSS 6.7).

Windows Buffer Overflow Heap Overflow Windows Server 2022 23h2 Windows 11 25h2 +4
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-20875 HIGH PATCH This Week

Remote denial of service in Windows LSASS affects Windows 10 and 11 through a null pointer dereference that an unauthenticated attacker can trigger over the network. The vulnerability causes service unavailability but does not enable code execution or data theft. No patch is currently available, leaving affected systems vulnerable until Microsoft releases a fix.

Windows Null Pointer Dereference Windows 11 24h2 Windows 10 21h2 Windows 10 1809 +12
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-20874 HIGH PATCH This Week

Privilege escalation in Windows Management Services on Windows 10 and 11 stems from improper synchronization of shared resources, enabling local authenticated attackers to gain elevated privileges. The race condition can be exploited without user interaction and impacts confidentiality, integrity, and availability across system boundaries. No patch is currently available for this vulnerability.

Windows Race Condition Windows 11 23h2 Windows 11 24h2 Windows 10 1809 +8
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20873 HIGH PATCH This Week

Privilege escalation in Windows Management Services (Windows 10/11) stems from improper synchronization of shared resources, allowing authenticated local users to gain elevated privileges through race condition exploitation. The vulnerability affects multiple Windows versions including 22H2 and 24H2 builds, with no patch currently available. An attacker with valid credentials can leverage this flaw to escalate from a standard user account to system-level access.

Windows Race Condition Windows 10 22h2 Windows 11 24h2 Windows 10 1809 +8
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20871 HIGH PATCH This Week

Local privilege escalation in Windows Desktop Window Manager (DWM) through use-after-free memory corruption affects Windows 10 22H2, Windows Server 2022, and Windows Server 2025. An authenticated local attacker can exploit this vulnerability to gain system-level privileges with no user interaction required. No patch is currently available for this high-severity vulnerability.

Windows Use After Free Windows Server 2022 Windows Server 2025 Windows 10 22h2 +6
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20870 HIGH PATCH This Week

Privilege escalation in Windows Win32K ICOMP component via use-after-free memory corruption affects Windows 11 (24h2, 25h2) and Windows Server 2025. An authenticated local attacker can exploit this vulnerability to gain SYSTEM-level privileges with no user interaction required. Currently no patch is available and exploitation requires local access with user-level permissions.

Windows Use After Free Windows 11 25h2 Windows 11 24h2 Windows Server 2025 +1
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20869 HIGH PATCH This Week

Local privilege escalation in Windows Local Session Manager (LSM) across Windows 11 23h2, Windows Server 2012, and 2019 stems from improper synchronization in shared resource handling, enabling authenticated attackers to elevate privileges on affected systems. The vulnerability requires local access and specific timing conditions to exploit, with no patch currently available. This affects systems running the impacted Windows and Server editions where authenticated users may achieve system-level privileges.

Windows Race Condition Windows 11 23h2 Windows Server 2012 Windows Server 2019 +12
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-20868 HIGH PATCH This Week

Remote code execution in Windows RRAS affects Windows 10 21h2 and Windows Server 2022 variants through a heap-based buffer overflow triggered over the network without authentication. An attacker can exploit this vulnerability to execute arbitrary code with high privileges, though a user interaction is required to trigger the flaw. No patch is currently available, making this a critical risk for exposed systems.

Windows Buffer Overflow Heap Overflow Windows Server 2022 Windows Server 2022 23h2 +13
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-20867 HIGH PATCH This Week

Local privilege escalation in Windows Management Services affects Windows Server 2019, Windows 11 24h2, and Windows Server 2025 through improper synchronization of shared resources, enabling authenticated users to gain elevated system privileges. The vulnerability exploits a race condition that an attacker can trigger without user interaction, though no patch is currently available.

Windows Race Condition Windows Server 2019 Windows 11 24h2 Windows Server 2025 +8
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20866 HIGH PATCH This Week

Windows Management Services on Windows 10 and Windows Server 2019 contains a race condition in shared resource synchronization that enables local privilege escalation for authenticated users. An attacker with local access can exploit improper locking mechanisms to gain elevated system privileges. No patch is currently available for this vulnerability.

Windows Race Condition Windows Server 2019 Windows 10 22h2 Windows 10 1809 +8
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20865 HIGH PATCH This Week

Privilege escalation in Windows Management Services affects Windows 11 24H2, Windows Server 2022, and 2025 through a use-after-free memory vulnerability that allows authenticated local attackers to gain elevated system privileges. The vulnerability requires local access and manual user interaction is not required, making it exploitable by any authorized account on the system. Currently no patch is available to remediate this issue.

Windows Use After Free Windows 11 24h2 Windows Server 2025 Windows Server 2022 +8
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20863 HIGH PATCH This Week

Double free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. [CVSS 7.0 HIGH]

Windows Windows 11 24h2 Windows Server 2022 Windows 11 25h2 Windows Server 2022 23h2 +3
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-20862 MEDIUM PATCH This Month

Windows Management Services on Windows 10, 11, and Server 2022 expose sensitive information through an information disclosure vulnerability that allows authenticated local users to read confidential data. An attacker with valid credentials can exploit this to access information they should not be authorized to view, though no remote exploitation or system modification is possible. No patch is currently available for affected systems.

Windows Windows 11 23h2 Windows 10 22h2 Windows Server 2022 23h2 Windows 11 25h2 +7
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20861 HIGH PATCH This Week

Windows Management Services on Windows 10 and Windows Server 2022 contain a race condition in shared resource handling that permits authenticated local attackers to escalate privileges to system level. The vulnerability stems from improper synchronization during concurrent operations and affects multiple Windows versions including Windows 10 22H2 and 1809. No patch is currently available for this high-severity issue (CVSS 7.8).

Windows Race Condition Windows Server 2022 Windows 10 22h2 Windows 10 1809 +8
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20860 HIGH PATCH This Week

Windows 10 1607 is affected by access of resource using incompatible type (type confusion) (CVSS 7.8).

Windows Windows 10 21h2 Windows 11 25h2 Windows Server 2019 Windows Server 2022 23h2 +11
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-20859 HIGH PATCH This Week

Kernel-mode driver use-after-free vulnerabilities in Windows 11 24H2 and Windows Server 2025 enable authenticated local attackers to achieve privilege escalation. An attacker with standard user privileges can exploit memory corruption in kernel drivers to gain SYSTEM-level access without user interaction. No patch is currently available.

Linux Windows Use After Free Windows 11 24h2 Windows Server 2025 +2
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20858 HIGH PATCH This Week

Privilege escalation in Windows Management Services affects Windows 10, Windows 11, and Windows Server 2022 through a use-after-free memory vulnerability. An authenticated local attacker can exploit this flaw to gain elevated system privileges. Currently no patch is available and exploitation requires specific conditions to trigger.

Windows Use After Free Windows Server 2022 23h2 Windows 11 23h2 Windows 10 22h2 +8
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20857 HIGH PATCH This Week

Windows Cloud Files Mini Filter Driver contains an unsafe pointer dereference vulnerability that enables authenticated local users to achieve privilege escalation on affected Windows versions including Windows 10 1809, Windows 11, and Windows Server 2022. An attacker with valid credentials can exploit this flaw to gain elevated system privileges without user interaction. No patch is currently available for this high-severity vulnerability.

Windows Windows 10 1809 Windows Server 2022 Windows 11 23h2 Windows 11 24h2 +7
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20856 HIGH PATCH This Week

Remote code execution in Windows Server Update Service affects Windows 11 25h2, Windows Server 2025, 2022, and 2016 due to inadequate input validation, enabling unauthenticated network-based attackers to execute arbitrary code with high impact. The vulnerability requires specific conditions to exploit (high complexity) but carries significant risk across widely-deployed server infrastructure with no patch currently available.

Windows Windows Server 2025 Windows Server 2022 Windows Server 2016 Windows 11 25h2 +10
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-20854 HIGH PATCH This Week

Remote code execution in Windows LSASS (Local Security Authority Subsystem Service) on Windows 11 and Windows Server 2025 stems from a use-after-free memory vulnerability exploitable by authenticated attackers over the network. An attacker with valid credentials can trigger the flaw to execute arbitrary code with SYSTEM privileges, achieving complete system compromise. No patch is currently available, leaving affected systems vulnerable until Microsoft releases a security update.

Windows Use After Free Windows Server 2025 Windows 11 25h2 Windows 11 24h2 +1
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-20852 HIGH PATCH This Week

Windows Hello privilege escalation on Windows 10, 11, and Server 2019 allows local attackers without credentials to tamper with system integrity through incorrect privilege assignment. The vulnerability requires local access but no user interaction, enabling unauthorized modifications to protected resources. No patch is currently available for this HIGH severity issue affecting multiple Windows versions.

Windows Windows 11 24h2 Windows 11 25h2 Windows Server 2019 Windows 10 21h2 +9
NVD
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-20851 MEDIUM PATCH This Month

Information disclosure in Windows Capability Access Management Service (camsvc) enables local attackers to read sensitive data from memory without authentication on Windows 11 24h2, Windows 11 25h2, and Windows Server 2025. The out-of-bounds read vulnerability requires local access but no special privileges or user interaction to trigger. No patch is currently available for this issue.

Buffer Overflow Information Disclosure Windows 11 24h2 Windows Server 2025 Windows 11 25h2 +1
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-20849 HIGH PATCH This Week

Windows Kerberos authentication in multiple Windows versions accepts untrusted input during security decisions, enabling authenticated network attackers to escalate privileges without user interaction. The vulnerability affects Windows 10 (versions 1607 and 1809), Windows Server 2012, and Windows Server 2025, with no patch currently available. An attacker with valid credentials can exploit this to gain elevated system access across the network.

Windows Windows Server 2025 Windows 10 1607 Windows Server 2012 Windows 10 1809 +11
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-20848 HIGH PATCH This Week

Privilege escalation via race condition in Windows SMB Server affects Windows 10 21h2, Windows 11 25h2, and Windows Server 2022 23h2, allowing authenticated attackers to gain elevated privileges over the network. The vulnerability stems from improper synchronization when handling concurrent access to shared resources, and no patch is currently available. With a CVSS score of 7.5, this poses a significant risk to organizations using affected Windows versions.

Windows Race Condition Windows 10 21h2 Windows 11 25h2 Windows Server 2022 23h2 +11
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-20847 MEDIUM PATCH This Month

Windows Shell information disclosure in Windows 10, 11, and Server 2019/2022 permits authenticated network attackers to conduct spoofing attacks by accessing sensitive data. The vulnerability requires valid credentials and network access, with no active exploits currently documented. No patch is available at this time.

Windows Windows 10 1607 Windows 11 23h2 Windows Server 2019 Windows Server 2022 +11
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-20844 HIGH PATCH This Week

Windows Clipboard Server contains a use-after-free vulnerability affecting Windows 10 (versions 21H2 and 1809) and Windows Server 2022 (23H2) that enables local privilege escalation without requiring user interaction. An attacker with local access can exploit this memory safety flaw to gain elevated system privileges. No patch is currently available for this vulnerability.

Windows Use After Free Windows 10 21h2 Windows 10 1809 Windows Server 2022 23h2 +10
NVD
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-20843 HIGH PATCH This Week

Local privilege escalation in Windows RRAS affects Windows 10, Windows 11, and Windows Server 2022, allowing authenticated users to gain system-level access through improper access control mechanisms. An attacker with local user credentials can exploit this vulnerability to obtain elevated privileges on the affected system. No patch is currently available, leaving vulnerable systems at risk until Microsoft releases a security update.

Windows Windows 11 24h2 Windows 11 25h2 Windows Server 2022 23h2 Windows 10 21h2 +11
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20842 HIGH PATCH This Week

Use after free in Windows DWM allows an authorized attacker to elevate privileges locally. [CVSS 7.0 HIGH]

Windows Use After Free Windows Server 2022 23h2 Windows 11 25h2 Windows Server 2025 +6
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-20840 HIGH PATCH This Week

Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. [CVSS 7.8 HIGH]

Windows Buffer Overflow Heap Overflow Windows 10 21h2 Windows Server 2019 +13
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20839 MEDIUM PATCH This Month

Information disclosure in Windows Client-Side Caching Service allows authenticated local users to read sensitive data on affected systems including Windows 10, Windows 11, and Windows Server editions. An attacker with valid credentials can exploit improper access controls to access cached information without additional user interaction. No patch is currently available for this vulnerability.

Windows Windows 10 21h2 Windows 11 25h2 Windows Server 2008 Windows Server 2025 +11
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20838 MEDIUM PATCH This Month

Sensitive information disclosure in the Windows Kernel error message handling allows local authenticated users to read confidential data they shouldn't have access to. The vulnerability affects Windows and Windows Server 2022/2025 platforms and requires valid credentials to exploit, limiting its attack surface. No patch is currently available for this medium-severity issue.

Linux Windows Windows Server 2022 Windows Server 2025 Windows Server 2022 23h2 +4
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20837 HIGH PATCH This Week

Local code execution in Windows Media affects Windows 11 25h2, Windows Server 2019, and Windows Server 2025 through a heap buffer overflow that requires user interaction to trigger. An attacker with local access can exploit this vulnerability to achieve arbitrary code execution with full system privileges. No patch is currently available for this vulnerability.

Windows Buffer Overflow Heap Overflow Windows Server 2025 Windows Server 2019 +9
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20836 HIGH PATCH This Week

Privilege escalation in the Graphics Kernel on Windows 11 and Linux systems results from improper synchronization of concurrent access to shared resources, allowing authenticated local attackers to gain elevated privileges. The vulnerability requires specific timing conditions to exploit but impacts multiple Windows versions and Linux distributions. No patch is currently available for this race condition vulnerability.

Linux Industrial Race Condition Windows 11 23h2 Windows 11 24h2 +11
NVD
CVSS 3.1
7.0
EPSS
0.0%
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation in Windows Performance Counters via null pointer dereference affects Windows Server 2019 and Windows 11 systems, enabling authenticated local attackers to gain elevated privileges. The vulnerability impacts systems where users have standard account access, allowing them to escalate to higher privilege levels on affected machines. No patch is currently available.

Null Pointer Dereference Microsoft Denial Of Service +15
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Privilege escalation in Windows Device Association Service (Windows 10 versions 1607, 1809, and 21H2) stems from improper synchronization of shared resources, enabling local authenticated users to gain elevated system privileges. The vulnerability requires high attack complexity and no user interaction, making it exploitable by insiders or compromised local accounts. No patch is currently available.

Race Condition Microsoft Information Disclosure +15
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Privilege escalation in Windows Device Association Service across Windows 10, 11, and Server 2022 stems from improper synchronization of shared resources, enabling local authenticated users to gain elevated system privileges. The vulnerability requires local access and specific timing conditions but poses high risk due to its impact on confidentiality, integrity, and availability. No patch is currently available.

Race Condition Microsoft Information Disclosure +14
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Windows SMB Server authentication bypass across multiple versions (Windows 10 1607, Windows 11 23h2, Windows Server 2012/2025) permits authenticated local users to escalate privileges with high impact to confidentiality, integrity, and availability. The vulnerability stems from improper authentication validation in the SMB service, allowing a local attacker to gain system-level access without user interaction. No patch is currently available, leaving affected systems vulnerable to privilege escalation attacks from any authenticated user.

Microsoft Authentication Bypass Windows 10 1607 +13
NVD VulDB GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation in Windows Ancillary Function Driver for WinSock affects Windows 11 24H2, Windows Server 2022, and Windows Server 2025, allowing authenticated local attackers to gain system-level access through null pointer dereference. The vulnerability requires valid user credentials and local access but no user interaction to exploit. No patch is currently available.

Null Pointer Dereference Microsoft Denial Of Service +9
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation in Windows Connected Devices Platform Service (Cdpsvc) exploits a use-after-free memory vulnerability, affecting Windows 10 22h2 and Windows 11 (25h2, 26h1). An authenticated local attacker can leverage this flaw to gain system-level privileges on vulnerable systems. No patch is currently available for this high-severity vulnerability.

Use After Free Denial Of Service Memory Corruption +12
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation in Windows Accessibility Infrastructure (ATBroker.exe) across Windows 10, Windows 11, and Windows Server 2022 stems from improper permission assignments on a critical resource. A local authenticated attacker can exploit this misconfiguration to gain elevated privileges without user interaction. No patch is currently available for this vulnerability.

Information Disclosure Microsoft Windows Server 2022 +14
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Windows Projected File System in Windows 11 and Server 2022 contains improper access control that enables authenticated local users to escalate privileges to system level. An attacker with valid credentials can exploit this vulnerability to gain elevated permissions without user interaction. Currently, no patch is available to address this issue.

Microsoft Authentication Bypass Windows 11 24h2 +11
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. [CVSS 7.8 HIGH]

Use After Free Microsoft Denial Of Service +15
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Windows Kernel path traversal vulnerability in Server 2025, Server 2022, Windows 11 24h2, and Windows 10 22h2 enables authenticated local attackers to achieve full system compromise through privilege escalation. The flaw allows an authorized user to manipulate file name or path parameters, bypassing access controls and gaining kernel-level privileges. No patch is currently available.

Information Disclosure Microsoft Windows Server 2025 +11
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Windows 11 (24h2, 26h1) and Windows Server 2022 (23h2) via heap overflow allows authenticated local users to gain system-level access. The vulnerability requires valid credentials but no user interaction, making it a direct path to complete system compromise. No patch is currently available.

Buffer Overflow Heap Overflow Microsoft +6
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Windows MapUrlToZone security bypass in Windows 11 24H2, Windows 10 21H2, and Windows Server 2016/2025 allows unauthenticated remote attackers to circumvent zone-based security restrictions through improper path equivalence resolution. An attacker can exploit this network-accessible vulnerability without user interaction to bypass intended access controls. No patch is currently available for this high-severity vulnerability.

Microsoft Authentication Bypass Windows 11 24h2 +14
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Windows ReFS contains an out-of-bounds read vulnerability affecting Server 2019, 2022, 2025, and Windows 11 26h1 that enables authenticated local users to escalate privileges with high impact to confidentiality, integrity, and availability. The vulnerability requires low attack complexity and no user interaction, making it exploitable by any authenticated user on the system. No patch is currently available for this HIGH severity issue.

Information Disclosure Microsoft Buffer Overflow +15
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability [CVSS 7.8 HIGH]

Information Disclosure Buffer Overflow Microsoft +15
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Privilege escalation in the Windows Bluetooth RFCOM Protocol Driver across Windows 11 26h1, Windows Server 2025, and Windows 10 1809 stems from improper synchronization of concurrent access to shared resources. An authenticated local attacker can exploit this race condition to gain elevated privileges on affected systems. No patch is currently available for this vulnerability.

Race Condition Information Disclosure Microsoft +14
NVD VulDB
EPSS 3% CVSS 7.8
HIGH KEV PATCH THREAT Act Now

Desktop Window Manager (DWM) in Windows contains a type confusion vulnerability (CVE-2026-21519, CVSS 7.8) that enables authorized local attackers to escalate privileges. KEV-listed, this kernel-level vulnerability in the Windows compositor allows any authenticated user to achieve SYSTEM-level access through exploitation of an incompatible type access in DWM's resource handling.

Buffer Overflow Windows 11 24h2 Windows 11 23h2 +11
NVD VulDB
EPSS 4% CVSS 8.8
HIGH POC KEV PATCH THREAT Act Now

Windows Shell contains a protection mechanism failure (CVE-2026-21510, CVSS 8.8) that allows unauthenticated remote attackers to bypass security features over a network. KEV-listed, this vulnerability in the core Windows Shell component enables remote code execution by circumventing security boundaries designed to prevent execution of untrusted content received from the network.

Windows Windows 11 23h2 Windows Server 2016 +12
NVD VulDB GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Windows Storage component contains an authentication bypass that enables authenticated local users to escalate privileges on Windows 10, Windows 11, and Windows Server 2016/2019 systems. An attacker with valid local credentials can exploit this vulnerability to gain elevated system access without user interaction. No patch is currently available for this HIGH severity issue affecting multiple Windows versions.

Windows Windows 10 1809 Windows Server 2016 +12
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Windows Hyper-V fails to properly enforce access controls, enabling local authenticated users to circumvent security features and gain unauthorized system access. This high-severity flaw affects Windows 10, Windows 11, Windows Server 2022, and Hyper-V implementations, allowing privileged attackers to escalate privileges across system boundaries. No patch is currently available for this vulnerability.

Windows Hyper-V Windows 10 1607 +12
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation in Windows Cluster Client Failover exploits a use-after-free memory vulnerability, enabling authenticated local users to gain elevated system privileges. The flaw affects Windows Server 2016, 2019, and 2025 installations where an attacker with existing local access can trigger the vulnerability through the failover clustering component. No patch is currently available for this high-severity vulnerability.

Windows Use After Free Windows Server 2019 +5
NVD
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

Windows HTTP.sys contains an unsafe pointer dereference vulnerability that enables authenticated local attackers to escalate privileges on affected systems including Windows 11, Windows Server 2025, and related versions. An attacker with local user access can exploit this flaw to gain system-level privileges with high confidence in successful exploitation. No patch is currently available for this vulnerability.

Windows Windows Server 2025 Windows 11 24h2 +3
NVD Exploit-DB VulDB
EPSS 0% CVSS 7.3
HIGH POC PATCH This Week

Heap overflow in Windows Hyper-V enables authenticated local users to achieve arbitrary code execution with high privileges on affected Windows and Windows Server systems. An attacker with local access and user-level permissions can trigger memory corruption through user interaction to compromise system integrity and confidentiality. This vulnerability affects Windows 10 1809, Windows Server 2025, and related Hyper-V implementations with no patch currently available.

Windows Hyper-V Buffer Overflow +14
NVD Exploit-DB VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Improper input validation in Windows Hyper-V allows an authorized attacker to execute code locally. [CVSS 7.3 HIGH]

Windows Hyper-V Windows 11 24h2 +12
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation in Microsoft Graphics Component on Windows 11 24H2 and Windows 10 21H2 exploits a heap buffer overflow to allow authenticated local attackers to gain system-level access. The vulnerability requires local access and user interaction is not required, presenting a significant risk in multi-user environments. No patch is currently available.

Microsoft Industrial Buffer Overflow +14
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Windows Kernel heap overflow in Windows 11 25h2 and Windows Server 2025 enables authenticated local attackers to achieve privilege escalation with high impact on confidentiality, integrity, and availability. The vulnerability requires local access and user privileges but no user interaction, making it a practical attack vector for lateral movement within systems. No patch is currently available, leaving affected systems exposed until remediation is released.

Linux Windows Buffer Overflow +5
NVD
EPSS 0% CVSS 7.3
HIGH POC PATCH This Week

Heap overflow in Windows Hyper-V enables authenticated local users to achieve arbitrary code execution with high privileges (CVSS 7.3). Exploitation requires user interaction and local system access, affecting Windows 10 1809 and Windows Server 2025. No patch is currently available.

Windows Hyper-V Buffer Overflow +14
NVD Exploit-DB VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Windows LDAP service in Server 2022 and 2022 23H2 is vulnerable to denial of service through a null pointer dereference that can be triggered remotely without authentication. An attacker can exploit this flaw over the network to crash the LDAP service and disrupt directory access functionality. No patch is currently available for this vulnerability.

Windows LDAP Null Pointer Dereference +5
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Windows Subsystem for Linux contains a use-after-free vulnerability that enables local privilege escalation for authenticated users. An attacker with valid local access could exploit this memory safety flaw to gain elevated system privileges on affected Windows Server 2022 systems.

Linux Windows Use After Free +9
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Windows Ancillary Function Driver for WinSock in Windows 11 23h2 and Windows Server 2022 23h2 contains a use-after-free vulnerability that allows authenticated local users to achieve privilege escalation. An attacker with local access and valid credentials can trigger the memory safety flaw to gain elevated system privileges. No patch is currently available for this HIGH severity vulnerability.

Windows Use After Free Windows Server 2022 23h2 +6
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Windows HTTP.sys contains a race condition between privilege checks and resource access that enables local authenticated users to escalate privileges on Windows 10 21H2, Windows 11 23H2, and Windows Server 2025. An attacker with valid credentials can exploit this timing vulnerability to gain system-level access. No patch is currently available for this vulnerability.

Windows Race Condition Windows 10 21h2 +10
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation via heap buffer overflow in Windows Kernel (Windows 10 21H2, Windows Server 2016) allows authenticated local users to gain elevated system privileges. The vulnerability requires local access and user-level permissions, making it exploitable by authorized account holders to bypass security boundaries. No patch is currently available for this issue.

Linux Windows Buffer Overflow +15
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation in the Windows Ancillary Function Driver for WinSock affects Windows 11 and Windows Server 2022/2019, allowing authenticated local users to gain elevated system privileges. The vulnerability stems from improper access control mechanisms and currently lacks a patch. An authenticated attacker with local access can exploit this to achieve full system compromise.

Windows Windows 11 23h2 Windows Server 2022 23h2 +12
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Local privilege escalation in Windows Subsystem for Linux affects Windows 11 23h2 and Windows 10 22h2 through a race condition in shared resource synchronization. An authenticated local attacker can exploit this vulnerability to gain elevated privileges on the system. No patch is currently available for this vulnerability.

Linux Windows Race Condition +9
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Windows Ancillary Function Driver for WinSock contains a heap buffer overflow vulnerability that enables authenticated local users to achieve privilege escalation on affected Windows 10 and Server 2012 systems. An attacker with valid user credentials can exploit this memory corruption flaw to execute arbitrary code with elevated privileges. No patch is currently available for this vulnerability.

Windows Buffer Overflow Heap Overflow +14
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Local privilege escalation in Windows Connected Devices Platform Service exploits a race condition in resource synchronization, allowing authenticated attackers to gain elevated privileges on affected Windows systems including Server 2022, Windows 11 25h2, and Windows 10 21h2. The vulnerability requires local access and user interaction is not needed, making it a practical attack vector for users with standard privileges. No patch is currently available.

Windows Race Condition Windows Server 2022 +10
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Windows HTTP.sys contains an untrusted pointer dereference vulnerability that enables authenticated local users to escalate privileges on Windows 11 and Windows Server 2022/2025 systems. An attacker with valid credentials can exploit this flaw to gain elevated access without user interaction. No patch is currently available for this HIGH severity issue affecting multiple Windows versions.

Windows Windows 11 25h2 Windows Server 2022 23h2 +4
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Windows Kernel privilege escalation vulnerability in Windows 10 21H2 and Windows Server 2012 stems from improper synchronization of concurrent access to shared resources, enabling local authenticated users to gain elevated system privileges. The race condition can be triggered without user interaction and impacts confidentiality, integrity, and availability of the affected system. No patch is currently available.

Linux Windows Race Condition +14
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Windows Kernel inadvertently logs sensitive information accessible to authenticated local users, enabling information disclosure attacks. This medium-severity vulnerability affects Windows 10 22H2, Windows 11 23H2, and 24H2, as well as Linux systems, allowing authorized attackers with local access to retrieve confidential data. No patch is currently available for this issue.

Linux Windows Windows 10 22h2 +12
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Buffer over-read in Windows GDI+ allows an unauthorized attacker to deny service over a network. [CVSS 7.5 HIGH]

Windows Buffer Overflow Windows 11 23h2 +13
NVD
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Windows Secure Boot stores Microsoft certificates in the UEFI KEK and DB. [CVSS 6.4 MEDIUM]

Microsoft Windows Windows 10 22h2 +12
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Privilege escalation in Windows 11 and Windows Server 2025 Capability Access Management Service results from a race condition in resource synchronization, enabling authenticated local users to gain elevated system privileges. The vulnerability affects multiple recent Windows versions (24h2 and 25h2) and currently lacks a patch. No public exploit code has been disclosed, though the attack requires local access and moderate complexity to execute.

Race Condition Windows 11 24h2 Windows 11 25h2 +2
NVD
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Uninitialized memory in the Dynamic Root of Trust for Measurement (DRTM) component of Windows 11 25h2, Windows Server 2019, Windows 10 22h2, Windows 10 1809, and Windows 11 23h2 allows a high-privileged local attacker to read sensitive information from kernel memory. The vulnerability requires administrative or equivalent privileges to exploit and carries no patch availability. This issue is tracked under CWE-908 with a CVSS score of 4.4.

Information Disclosure Windows 11 25h2 Windows Server 2019 +9
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation in Windows Task Host Process affects Windows 11 and Server 2025 through unsafe symbolic link handling, allowing authenticated local users to gain elevated system privileges. An attacker with standard user access can exploit improper link resolution to bypass access controls and execute arbitrary actions with SYSTEM-level permissions. Currently no patch is available for this vulnerability.

Windows Windows Server 2025 Windows 11 25h2 +2
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Windows File Explorer information disclosure affects Windows 10 and 11 systems, allowing local authenticated attackers to access sensitive data through improper access controls. The vulnerability requires valid user credentials and local system access, posing a risk in multi-user or shared computing environments where sensitive files may be exposed to other authorized users.

Windows Windows Server 2022 23h2 Windows 11 24h2 +11
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Windows File Explorer improperly restricts access to sensitive information, enabling authenticated local users to read confidential data without authorization. This vulnerability affects Windows 10 across multiple versions (1607, 1809, 21H2, 22H2) and requires valid user credentials and local system access to exploit. Currently, no patch is available to remediate this information disclosure issue.

Windows Windows Server 2022 Windows 10 21h2 +11
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Information disclosure in Windows NDIS allows a privileged local attacker with physical access to read sensitive kernel memory regions on Windows 10 and Windows 11 systems. The vulnerability requires both authentication and direct hardware interaction, limiting its practical exploitation to scenarios where an attacker has already compromised system access. No patch is currently available for affected Windows versions including 10 (21h2, 22h2) and 11 (25h2).

Windows Windows 10 22h2 Windows 10 21h2 +13
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation in Windows SMB Server (Server 2025, Windows 11 24H2, Windows 10 22H2) stems from improper synchronization of shared resources during concurrent execution, enabling authenticated network attackers to gain elevated privileges. The vulnerability requires high complexity exploitation but carries high impact across confidentiality, integrity, and availability. No patch is currently available.

Windows Race Condition Windows Server 2025 +13
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Windows File Explorer information disclosure allows local authenticated users to access sensitive data without authorization. This medium-severity vulnerability affects multiple Windows versions including Windows 11 (24h2 and 25h2), Windows 10 1809, and Windows Server 2019, but no patch is currently available.

Windows Windows 11 24h2 Windows Server 2019 +11
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Windows SMB Server denial of service via race condition affects Windows 10 21h2, Windows 11 24h2, and Windows Server 2022, allowing authenticated attackers to disrupt service availability through improper synchronization of shared resources. The vulnerability requires network access and specific conditions to trigger but carries no patch availability at this time. Impact is limited to availability with no confidentiality or integrity compromise.

Windows Race Condition Windows Server 2022 +14
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation in Windows SMB Server (versions 10 22h2, 11 23h2, and 11 25h2) stems from improper synchronization of shared resources, allowing authenticated network attackers to elevate privileges. The race condition vulnerability requires specific timing conditions but carries high impact across confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

Windows Race Condition Windows 11 23h2 +13
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Windows NTLM authentication across multiple Windows versions (10, Server 2008/2019) allows remote attackers to manipulate file name or path parameters without authentication, enabling network-based identity spoofing attacks. The vulnerability requires user interaction and has no available patch, affecting systems still running older Windows Server editions alongside current Windows 10 releases. An attacker could impersonate legitimate services or users to compromise trust in networked communications.

Windows Windows 10 22h2 Windows Server 2008 +13
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation in Windows Management Services via use-after-free memory corruption affects Windows 10, Windows 11, and Windows Server 2019, enabling authenticated local attackers to gain elevated system privileges. An authorized user can exploit this vulnerability through a race condition to execute arbitrary code with higher privileges. No patch is currently available for this vulnerability.

Windows Use After Free Windows 11 25h2 +10
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation in Windows Management Services affects Windows Server 2019, 2022 23h2, and 2025 through a use-after-free vulnerability that allows authenticated local attackers to gain elevated system privileges. The flaw requires low privileges and manual user interaction to trigger, potentially giving attackers complete system control. No patch is currently available for this vulnerability.

Windows Use After Free Windows Server 2022 23h2 +10
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. [CVSS 7.8 HIGH]

Windows Buffer Overflow Heap Overflow +15
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Windows SMB Server contains a race condition in concurrent resource handling that enables authenticated network attackers to escalate privileges on affected systems including Windows 10 22H2, Windows 10 1607, and Windows Server 2025. The vulnerability requires low attack complexity and network access from an authenticated user, but carries high impact across confidentiality, integrity, and availability. No patch is currently available for this HIGH severity issue (CVSS 7.5).

Windows Race Condition Windows 10 22h2 +13
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Windows Management Services on Windows 10 and 11 contains a race condition in shared resource synchronization that enables authenticated local users to escalate privileges to system level. The vulnerability affects multiple Windows versions including 22h2, 21h2, and 25h2 builds, with no patch currently available.

Windows Race Condition Windows 11 25h2 +10
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation in Windows Management Services affects Windows 10 22h2, Windows Server 2022 23h2, and Windows 11 23h2 through a use-after-free memory flaw. An authenticated local attacker can exploit this vulnerability to gain elevated system privileges. Currently, no patch is available.

Windows Use After Free Windows 10 22h2 +10
NVD
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Privilege escalation in Windows Virtualization-Based Security (VBS) Enclave affects Windows 11 and Windows Server 2022 through a heap-based buffer overflow in memory management. An authenticated local attacker with high privileges can exploit this vulnerability to gain unauthorized system-level access. No patch is currently available for this medium-severity vulnerability (CVSS 6.7).

Windows Buffer Overflow Heap Overflow +6
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial of service in Windows LSASS affects Windows 10 and 11 through a null pointer dereference that an unauthenticated attacker can trigger over the network. The vulnerability causes service unavailability but does not enable code execution or data theft. No patch is currently available, leaving affected systems vulnerable until Microsoft releases a fix.

Windows Null Pointer Dereference Windows 11 24h2 +14
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation in Windows Management Services on Windows 10 and 11 stems from improper synchronization of shared resources, enabling local authenticated attackers to gain elevated privileges. The race condition can be exploited without user interaction and impacts confidentiality, integrity, and availability across system boundaries. No patch is currently available for this vulnerability.

Windows Race Condition Windows 11 23h2 +10
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation in Windows Management Services (Windows 10/11) stems from improper synchronization of shared resources, allowing authenticated local users to gain elevated privileges through race condition exploitation. The vulnerability affects multiple Windows versions including 22H2 and 24H2 builds, with no patch currently available. An attacker with valid credentials can leverage this flaw to escalate from a standard user account to system-level access.

Windows Race Condition Windows 10 22h2 +10
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Windows Desktop Window Manager (DWM) through use-after-free memory corruption affects Windows 10 22H2, Windows Server 2022, and Windows Server 2025. An authenticated local attacker can exploit this vulnerability to gain system-level privileges with no user interaction required. No patch is currently available for this high-severity vulnerability.

Windows Use After Free Windows Server 2022 +8
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation in Windows Win32K ICOMP component via use-after-free memory corruption affects Windows 11 (24h2, 25h2) and Windows Server 2025. An authenticated local attacker can exploit this vulnerability to gain SYSTEM-level privileges with no user interaction required. Currently no patch is available and exploitation requires local access with user-level permissions.

Windows Use After Free Windows 11 25h2 +3
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Local privilege escalation in Windows Local Session Manager (LSM) across Windows 11 23h2, Windows Server 2012, and 2019 stems from improper synchronization in shared resource handling, enabling authenticated attackers to elevate privileges on affected systems. The vulnerability requires local access and specific timing conditions to exploit, with no patch currently available. This affects systems running the impacted Windows and Server editions where authenticated users may achieve system-level privileges.

Windows Race Condition Windows 11 23h2 +14
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Windows RRAS affects Windows 10 21h2 and Windows Server 2022 variants through a heap-based buffer overflow triggered over the network without authentication. An attacker can exploit this vulnerability to execute arbitrary code with high privileges, though a user interaction is required to trigger the flaw. No patch is currently available, making this a critical risk for exposed systems.

Windows Buffer Overflow Heap Overflow +15
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Windows Management Services affects Windows Server 2019, Windows 11 24h2, and Windows Server 2025 through improper synchronization of shared resources, enabling authenticated users to gain elevated system privileges. The vulnerability exploits a race condition that an attacker can trigger without user interaction, though no patch is currently available.

Windows Race Condition Windows Server 2019 +10
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Windows Management Services on Windows 10 and Windows Server 2019 contains a race condition in shared resource synchronization that enables local privilege escalation for authenticated users. An attacker with local access can exploit improper locking mechanisms to gain elevated system privileges. No patch is currently available for this vulnerability.

Windows Race Condition Windows Server 2019 +10
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation in Windows Management Services affects Windows 11 24H2, Windows Server 2022, and 2025 through a use-after-free memory vulnerability that allows authenticated local attackers to gain elevated system privileges. The vulnerability requires local access and manual user interaction is not required, making it exploitable by any authorized account on the system. Currently no patch is available to remediate this issue.

Windows Use After Free Windows 11 24h2 +10
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Double free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. [CVSS 7.0 HIGH]

Windows Windows 11 24h2 Windows Server 2022 +5
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Windows Management Services on Windows 10, 11, and Server 2022 expose sensitive information through an information disclosure vulnerability that allows authenticated local users to read confidential data. An attacker with valid credentials can exploit this to access information they should not be authorized to view, though no remote exploitation or system modification is possible. No patch is currently available for affected systems.

Windows Windows 11 23h2 Windows 10 22h2 +9
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Windows Management Services on Windows 10 and Windows Server 2022 contain a race condition in shared resource handling that permits authenticated local attackers to escalate privileges to system level. The vulnerability stems from improper synchronization during concurrent operations and affects multiple Windows versions including Windows 10 22H2 and 1809. No patch is currently available for this high-severity issue (CVSS 7.8).

Windows Race Condition Windows Server 2022 +10
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Windows 10 1607 is affected by access of resource using incompatible type (type confusion) (CVSS 7.8).

Windows Windows 10 21h2 Windows 11 25h2 +13
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Kernel-mode driver use-after-free vulnerabilities in Windows 11 24H2 and Windows Server 2025 enable authenticated local attackers to achieve privilege escalation. An attacker with standard user privileges can exploit memory corruption in kernel drivers to gain SYSTEM-level access without user interaction. No patch is currently available.

Linux Windows Use After Free +4
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation in Windows Management Services affects Windows 10, Windows 11, and Windows Server 2022 through a use-after-free memory vulnerability. An authenticated local attacker can exploit this flaw to gain elevated system privileges. Currently no patch is available and exploitation requires specific conditions to trigger.

Windows Use After Free Windows Server 2022 23h2 +10
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Windows Cloud Files Mini Filter Driver contains an unsafe pointer dereference vulnerability that enables authenticated local users to achieve privilege escalation on affected Windows versions including Windows 10 1809, Windows 11, and Windows Server 2022. An attacker with valid credentials can exploit this flaw to gain elevated system privileges without user interaction. No patch is currently available for this high-severity vulnerability.

Windows Windows 10 1809 Windows Server 2022 +9
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote code execution in Windows Server Update Service affects Windows 11 25h2, Windows Server 2025, 2022, and 2016 due to inadequate input validation, enabling unauthenticated network-based attackers to execute arbitrary code with high impact. The vulnerability requires specific conditions to exploit (high complexity) but carries significant risk across widely-deployed server infrastructure with no patch currently available.

Windows Windows Server 2025 Windows Server 2022 +12
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Windows LSASS (Local Security Authority Subsystem Service) on Windows 11 and Windows Server 2025 stems from a use-after-free memory vulnerability exploitable by authenticated attackers over the network. An attacker with valid credentials can trigger the flaw to execute arbitrary code with SYSTEM privileges, achieving complete system compromise. No patch is currently available, leaving affected systems vulnerable until Microsoft releases a security update.

Windows Use After Free Windows Server 2025 +3
NVD
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Windows Hello privilege escalation on Windows 10, 11, and Server 2019 allows local attackers without credentials to tamper with system integrity through incorrect privilege assignment. The vulnerability requires local access but no user interaction, enabling unauthorized modifications to protected resources. No patch is currently available for this HIGH severity issue affecting multiple Windows versions.

Windows Windows 11 24h2 Windows 11 25h2 +11
NVD
EPSS 0% CVSS 6.2
MEDIUM PATCH This Month

Information disclosure in Windows Capability Access Management Service (camsvc) enables local attackers to read sensitive data from memory without authentication on Windows 11 24h2, Windows 11 25h2, and Windows Server 2025. The out-of-bounds read vulnerability requires local access but no special privileges or user interaction to trigger. No patch is currently available for this issue.

Buffer Overflow Information Disclosure Windows 11 24h2 +3
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Windows Kerberos authentication in multiple Windows versions accepts untrusted input during security decisions, enabling authenticated network attackers to escalate privileges without user interaction. The vulnerability affects Windows 10 (versions 1607 and 1809), Windows Server 2012, and Windows Server 2025, with no patch currently available. An attacker with valid credentials can exploit this to gain elevated system access across the network.

Windows Windows Server 2025 Windows 10 1607 +13
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation via race condition in Windows SMB Server affects Windows 10 21h2, Windows 11 25h2, and Windows Server 2022 23h2, allowing authenticated attackers to gain elevated privileges over the network. The vulnerability stems from improper synchronization when handling concurrent access to shared resources, and no patch is currently available. With a CVSS score of 7.5, this poses a significant risk to organizations using affected Windows versions.

Windows Race Condition Windows 10 21h2 +13
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Windows Shell information disclosure in Windows 10, 11, and Server 2019/2022 permits authenticated network attackers to conduct spoofing attacks by accessing sensitive data. The vulnerability requires valid credentials and network access, with no active exploits currently documented. No patch is available at this time.

Windows Windows 10 1607 Windows 11 23h2 +13
NVD
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Windows Clipboard Server contains a use-after-free vulnerability affecting Windows 10 (versions 21H2 and 1809) and Windows Server 2022 (23H2) that enables local privilege escalation without requiring user interaction. An attacker with local access can exploit this memory safety flaw to gain elevated system privileges. No patch is currently available for this vulnerability.

Windows Use After Free Windows 10 21h2 +12
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Windows RRAS affects Windows 10, Windows 11, and Windows Server 2022, allowing authenticated users to gain system-level access through improper access control mechanisms. An attacker with local user credentials can exploit this vulnerability to obtain elevated privileges on the affected system. No patch is currently available, leaving vulnerable systems at risk until Microsoft releases a security update.

Windows Windows 11 24h2 Windows 11 25h2 +13
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Use after free in Windows DWM allows an authorized attacker to elevate privileges locally. [CVSS 7.0 HIGH]

Windows Use After Free Windows Server 2022 23h2 +8
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. [CVSS 7.8 HIGH]

Windows Buffer Overflow Heap Overflow +15
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Information disclosure in Windows Client-Side Caching Service allows authenticated local users to read sensitive data on affected systems including Windows 10, Windows 11, and Windows Server editions. An attacker with valid credentials can exploit improper access controls to access cached information without additional user interaction. No patch is currently available for this vulnerability.

Windows Windows 10 21h2 Windows 11 25h2 +13
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Sensitive information disclosure in the Windows Kernel error message handling allows local authenticated users to read confidential data they shouldn't have access to. The vulnerability affects Windows and Windows Server 2022/2025 platforms and requires valid credentials to exploit, limiting its attack surface. No patch is currently available for this medium-severity issue.

Linux Windows Windows Server 2022 +6
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local code execution in Windows Media affects Windows 11 25h2, Windows Server 2019, and Windows Server 2025 through a heap buffer overflow that requires user interaction to trigger. An attacker with local access can exploit this vulnerability to achieve arbitrary code execution with full system privileges. No patch is currently available for this vulnerability.

Windows Buffer Overflow Heap Overflow +11
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Privilege escalation in the Graphics Kernel on Windows 11 and Linux systems results from improper synchronization of concurrent access to shared resources, allowing authenticated local attackers to gain elevated privileges. The vulnerability requires specific timing conditions to exploit but impacts multiple Windows versions and Linux distributions. No patch is currently available for this race condition vulnerability.

Linux Industrial Race Condition +13
NVD
Prev Page 6 of 14 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy