Description
Successful exploitation of the race condition vulnerability could allow
an attacker to trigger a kernel heap overflow, potentially leading to local privilege
escalation and granting system-level access to the affected software.
Published: 2026-04-27
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

A race condition exists within WinFSP that, when successfully triggered, causes a kernel heap overflow. This flaw maps to CWE-362 and CWE-368 and can allow a local attacker to execute arbitrary code with elevated system-level privileges, effectively bypassing normal access controls.

Affected Systems

WinFSP (WinFSP) products are affected; the specific versions prior to the latest release are vulnerable, but the exact revision list was not provided in the description.

Risk and Exploitability

The vulnerability carries a CVSS score of 7, an EPSS score of less than 1%, and is not listed in the CISA KEV catalog. The attack vector is inferred to be local, requiring an attacker to gain a foothold on the machine to exploit the race condition and achieve privilege escalation. Despite the low EPSS, the high impact necessitates swift remediation.

Generated by OpenCVE AI on April 28, 2026 at 04:52 UTC.

Remediation

Vendor Solution

Users and administrators of affected product versions are advised to update to the latest version immediately.

OpenCVE Recommended Actions

  • Apply the latest WinFSP update (v2.2B1 or later) immediately to close the race condition flaw.
  • Restrict local user permissions and isolate critical resources until the patch is installed to reduce the chance of privilege escalation.
  • Monitor system logs for signs of kernel heap overflow attempts or unusual local activity and enforce strict access controls around the affected software until a definitive fix is in place.

Generated by OpenCVE AI on April 28, 2026 at 04:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Winfsp
Winfsp winfsp
Vendors & Products Winfsp
Winfsp winfsp

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-368
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 27 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Description Successful exploitation of the race condition vulnerability could allow an attacker to trigger a kernel heap overflow, potentially leading to local privilege escalation and granting system-level access to the affected software.
Title Race Condition Vulnerability
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Winfsp Winfsp
cve-icon MITRE

Status: PUBLISHED

Assigner: CSA

Published:

Updated: 2026-04-27T13:30:05.621Z

Reserved: 2026-02-23T05:15:38.972Z

Link: CVE-2026-3006

cve-icon Vulnrichment

Updated: 2026-04-27T13:19:33.209Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-27T03:15:59.277

Modified: 2026-04-27T18:57:20.293

Link: CVE-2026-3006

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-27T02:35:17Z

Links: CVE-2026-3006 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T05:00:14Z

Weaknesses