Description
Time-of-check time-of-use (toctou) race condition in GitHub Copilot and Visual Studio allows an authorized attacker to execute code over a network.
Published: 2026-02-10
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

A Time-of-Check Time-of-Use race condition has been discovered in the GitHub Copilot Chat extension for Visual Studio Code. The flaw allows an attacker who has authorized access to the local environment to execute arbitrary code over a network connection. This type of vulnerability provides a high level of privilege escalation, potentially giving the attacker full control of the affected system.

Affected Systems

The vulnerability affects Microsoft Visual Studio Code and specifically the Copilot Chat extension installed from GitHub Copilot. All users running these components are potentially impacted until a patch is applied.

Risk and Exploitability

The CVSS base score of 8.0 indicates a high severity scenario. The EPSS score is below 1%, suggesting that, currently, exploitation attempts are unlikely to be widespread. However, the vulnerability is already cataloged by the Microsoft Security Response Center and was not listed in the CISA KEV catalog, meaning that there is no publicly known active exploitation. The attack vector is likely local, requiring an authorized user to trigger the race condition, after which malicious code can be executed remotely. The overall risk remains significant due to the high impact of remote code execution.

Generated by OpenCVE AI on April 15, 2026 at 17:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Microsoft’s latest security update that resolves the race condition in the GitHub Copilot Chat extension for Visual Studio Code.
  • Upgrade Visual Studio Code to the newest stable release, which includes the same fix.
  • If an update cannot be applied immediately, temporarily uninstall or disable the Copilot Chat extension until the patch is released.
  • Limit network access for accounts that have the extension installed to reduce the window for exploitation.

Generated by OpenCVE AI on April 15, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft visual Studio Code Copilot Chat Extension
CPEs cpe:2.3:a:microsoft:visual_studio_code_copilot_chat_extension:*:*:*:*:*:*:*:*
Vendors & Products Microsoft visual Studio Code Copilot Chat Extension

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:-:*:*

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Time-of-check time-of-use (toctou) race condition in GitHub Copilot and Visual Studio allows an authorized attacker to execute code over a network.
Title GitHub Copilot and Visual Studio Code Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft visual Studio Code
Weaknesses CWE-367
CPEs cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft visual Studio Code
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Visual Studio Code Visual Studio Code Copilot Chat Extension
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-10T13:21:12.258Z

Reserved: 2025-12-30T18:10:54.846Z

Link: CVE-2026-21523

cve-icon Vulnrichment

Updated: 2026-02-25T15:43:21.756Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:34.743

Modified: 2026-02-11T21:41:36.627

Link: CVE-2026-21523

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:45:10Z

Weaknesses