CVE-2025-26649
HIGHDescription
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Secure Channel allows an authorized attacker to elevate privileges locally.
Is your site exposed to CVE-2025-26649?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| microsoft | windows_11_22h2 |
| microsoft | windows_11_23h2 |
| microsoft | windows_11_24h2 |
| microsoft | windows_server_2022 |
| microsoft | windows_server_2022_23h2 |
| microsoft | windows_server_2025 |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2025-26649? +
How severe is CVE-2025-26649? +
What products are affected by CVE-2025-26649? +
How do I check if I'm vulnerable to CVE-2025-26649? +
Related Vulnerabilities
OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers …
Flameshot is powerful yet simple to use screenshot software. Prior to 14.0.0, the Open With feature wrote screenshots to a …
An authentication bypass security issue exists within FactoryTalk Historian Site Edition. By continually sending requests to the login endpoint, an …
Better Auth is an authentication and authorization library for TypeScript. From 1.6.0 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint for …
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in HYPR Passwordless on Windows allows Privilege Escalation.This issue …
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Angular uses a …