An improper access control check in the Storvsp.sys storage driver permits an authorized local user to gain elevated privileges on the host. The flaw results in an escalation of privilege attack that can compromise system integrity and confidentiality, enabling the attacker to execute arbitrary code with higher privileges. The weakness is identified as a classic control‑flow and permission violation, classified under CWE‑284.

The vulnerability affects multiple Windows operating systems, including Windows 10 releases 1809, 21H2 and 22H2, Windows 11 releases 22H3, 23H2, 24H2 and 25H2, as well as Windows Server 2019, 2022, 2025 and their Server Core installations. All 32‑ and 64‑bit variants and ARM64 builds listed in the cited CPE inventory are affected.

The CVSS score of 7.8 indicates high severity, while the EPSS score of less than 1% suggests low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog, implying no known exploits in widespread use yet. An attacker must already have legitimate access to the target machine, yet the flaw can be leveraged to elevate privileges without further network exposure. In environments where privileged accounts are tightly controlled, the risk becomes more critical; the potential for local privilege escalation can impact the entire system, undermining any compartmentalization strategies. Organizations should treat this as a high‑priority issue due to the core components affected and the easy local path to compromise.