Microsoft Fixes Windows Shell, UI Core, and File Explorer Privilege Escalation Flaws
Microsoft published security updates for multiple Windows elevation-of-privilege vulnerabilities affecting Windows Shell, Windows User Interface Core, and Windows File Explorer, including CVE-2026-27918, CVE-2026-27911, CVE-2025-64661, and CVE-2025-64658. The issues could allow attackers to gain higher privileges on a vulnerable system after obtaining local access, extending a pattern of privilege-escalation risk across core Windows components.
Microsoft provided the most detail for CVE-2026-27911, which it rated Important with a CVSS 3.1 score of 7.8. The flaw stems from a race condition and use-after-free weakness in Windows User Interface Core and can be exploited by a low-privileged local attacker without user interaction. Successful exploitation could let an attacker escape a contained environment such as an AppContainer, raising privileges from Low Integrity Level to Medium Integrity Level. Microsoft said exploitation requires winning a race condition, assessed exploitation as unlikely at publication, and reported that the vulnerability had neither been publicly disclosed nor exploited before fixes were released.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes advisory for CVE-2026-27918
Microsoft published a Security Update Guide entry for CVE-2026-27918, a Windows Shell elevation of privilege vulnerability. The advisory was released as part of Microsoft's April 2026 security updates.
Microsoft discloses and fixes CVE-2026-27911
Microsoft disclosed CVE-2026-27911, an Important Windows User Interface Core elevation of privilege vulnerability caused by a race condition and use-after-free issue. The flaw could allow a low-privileged local attacker to escape a contained execution environment such as an AppContainer, and Microsoft said it was neither publicly disclosed nor exploited at publication time.
Microsoft releases fixes for Windows Shell and File Explorer EoP flaws
Microsoft published Security Update Guide entries for CVE-2025-64661, a Windows Shell elevation of privilege vulnerability, and CVE-2025-64658, a Windows File Explorer elevation of privilege vulnerability. The advisories indicate the vulnerabilities were disclosed as part of Microsoft's December 2025 security updates.
Sources
5 references tracked. Mallory keeps watching after this page renders.
CVE-2026-27918 - Security Update Guide - Microsoft - Windows Shell Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-27911 - Security Update Guide - Microsoft - Windows User Interface Core Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-64661 - Security Update Guide - Microsoft - Windows Shell Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-64658 - Security Update Guide - Microsoft - Windows File Explorer Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-64661 - Security Update Guide - Microsoft - Windows Shell Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patches Multiple Windows Use-After-Free Privilege Escalation Flaws
Microsoft released fixes for several **Windows elevation-of-privilege vulnerabilities** affecting **Win32k**, **Windows Telephony Service**, **Desktop Window Manager**, and the **Windows Cloud Files Mini Filter Driver**. The disclosed flaws include `CVE-2026-34347`, `CVE-2026-42825`, `CVE-2026-27923`, and `CVE-2026-35418`, and are all tied to **use-after-free** conditions, with some cases also involving race conditions such as time-of-check time-of-use behavior. Microsoft said successful exploitation could let a locally authenticated attacker with low privileges gain **SYSTEM** access without user interaction. The vulnerabilities were rated **Important** with **CVSS 3.1 scores ranging from 7.0 to 7.8**, and Microsoft assessed exploitation as **less likely or unlikely** because several attacks require winning a race condition. At the time of disclosure, Microsoft reported **no public disclosure and no evidence of active exploitation** for the documented 2026 flaws, and stated that official security updates were available. Additional Microsoft advisories also reference related Windows and Microsoft Brokering File System elevation-of-privilege issues, including `CVE-2026-24285`, `CVE-2025-32712`, `CVE-2025-21372`, `CVE-2025-21315`, and `CVE-2025-59189`, though public technical details for those entries were limited.
May 25, 2026
Microsoft Fixes Multiple Windows Elevation of Privilege Flaws
Microsoft published security updates for several Windows elevation of privilege vulnerabilities affecting core components, including **Windows Storage Spaces Controller**, **Windows SMB Client**, and **Windows Speech Runtime**. The issues were tracked as `CVE-2026-27907`, `CVE-2025-32718`, and `CVE-2025-58715`, respectively, and all could allow attackers to gain higher privileges on affected systems after initial access. Among the disclosed flaws, Microsoft provided the most detail for `CVE-2026-27907`, describing it as an **integer underflow** issue (`CWE-191`) in Windows Storage Spaces Controller that could let a locally authenticated low-privileged attacker elevate privileges to **SYSTEM** without user interaction. Microsoft rated that vulnerability **Important** with a **CVSS 3.1 score of 7.8**, said it was not publicly disclosed or exploited at publication, assessed exploitation as less likely, and released an official fix as part of its security guidance.
May 25, 2026
Microsoft discloses multiple Windows elevation-of-privilege flaws across kernel and core components
Microsoft published security advisories for a series of **Windows elevation-of-privilege** vulnerabilities affecting the **Windows Kernel**, **File Explorer**, **Windows Management Service**, **Windows UI XAML Phone DatePickerFlyout**, **Windows Graphics Component**, **Windows Storage**, and the **DirectX Graphics Kernel**. The referenced flaws include `CVE-2026-26132`, `CVE-2025-62565`, `CVE-2025-54103`, `CVE-2025-54111`, `CVE-2025-55693`, `CVE-2024-38249`, `CVE-2025-62573`, `CVE-2024-38248`, and `CVE-2025-55678`. The disclosures indicate a broad patching effort spanning core operating system subsystems and user-facing Windows components, with repeated exposure in privileged areas such as the kernel and graphics stack. For defenders, the concentration of elevation-of-privilege issues across these components raises the risk that attackers could chain local access or code execution with privilege escalation to gain **SYSTEM-level** or otherwise expanded rights on affected Windows systems, making prompt validation and deployment of Microsoft updates a priority.
May 25, 2026