securitylab_nJuly 15, 2026🇷🇺Translated from Russian

WinFsp Vulnerability CVE-2026-3006 Allows Local Attackers to Escalate Privileges to SYSTEM via Race Condition in Kernel Driver

A seemingly minor flaw in WinFsp can grant a local attacker complete control over a Windows computer by escalating privileges all the way to the SYSTEM account. The platform, widely used to mount virtual disks, network storage, and non-standard file systems, contains components that run with high privileges inside the Windows kernel. Researchers found that these components can be abused through a race condition, turning an ordinary user or compromised process into a full system owner.

Technical Details of CVE-2026-3006

The vulnerability, assigned identifier CVE-2026-3006 and rated 7.0 on the CVSS 3.1 scale, impacts WinFsp 2.1.25156 and all prior versions. It stems from a classic time-of-check-to-time-of-use race condition: when multiple operations access the same resource simultaneously, the driver may process them in an unexpected order. An attacker who times the operations correctly can trigger a memory overflow inside the kernel driver, corrupting a controllable memory region and ultimately executing arbitrary code with SYSTEM rights.

Because the flaw resides in kernel-mode code, the consequences are severe. After gaining SYSTEM privileges the attacker can alter protected system files, install new services and drivers, disable security products, read any local data, and create additional accounts with administrative rights.

Attack Requirements and Scope

The vulnerability cannot be exploited remotely. An attacker must first obtain local execution capability—by running a malicious program, using a compromised user account, or gaining an initial foothold through another vector. Once local access is achieved, the race condition can be triggered to elevate privileges.

The risk extends far beyond users who install WinFsp manually. Many third-party applications that provide file-system virtualization or cloud storage integration ship vulnerable versions of the WinFsp driver. Administrators are therefore advised to audit both standalone WinFsp installations and any bundled copies present on their systems.

Remediation and Recommendations

Developers have already addressed the issue in WinFsp 2.2B1. The Cyber Security Agency of Singapore urges organizations to deploy the updated version immediately. Additional defensive measures include limiting the number of users with local administrative rights and continuously monitoring for unexpected driver or service installations as well as suspicious processes related to WinFsp.

The flaw was discovered by security researcher Tai Kiat Lung. Organizations that rely on WinFsp or any software that depends on it should treat the update as a high priority to prevent local attackers from converting limited access into full system ownership.