Microsoft Fixes Visual Studio Code Elevation of Privilege Flaws
Microsoft disclosed and patched multiple elevation of privilege vulnerabilities affecting Visual Studio Code and its JS Debug Extension, including CVE-2025-24039, CVE-2025-24042, and CVE-2026-41613. The latest issue, CVE-2026-41613, is rated Important with a CVSS 3.1 score of 8.8 and is described as a session fixation flaw mapped to CWE-384 and CWE-78. Microsoft said the vulnerability affects Visual Studio Code itself, while the earlier 2025 advisories cover separate privilege-escalation bugs in the core product and the JS Debug Extension.
According to Microsoft, exploitation of CVE-2026-41613 requires user interaction, specifically convincing a target to open a malicious file in VS Code, and could allow an attacker to obtain the permissions of the MCP Server’s managed identity. Microsoft said the flaw was not publicly disclosed and not exploited at the time of release, assessed exploitation as less likely, and made a fix available; the issue was credited to Elad Luz of Oasis Security through coordinated disclosure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Microsoft discloses and fixes CVE-2026-41613 in Visual Studio Code
Microsoft disclosed CVE-2026-41613, an Important elevation of privilege vulnerability in Visual Studio Code described as a session fixation issue with a CVSS 3.1 score of 8.8. Microsoft said exploitation requires a user to open a malicious file, no public exploitation or prior public disclosure was known, and a fix was available; the flaw was credited to Elad Luz of Oasis Security.
Microsoft releases fixes for two VS Code elevation of privilege flaws
Microsoft published Security Update Guide entries for CVE-2025-24039 affecting Visual Studio Code and CVE-2025-24042 affecting the Visual Studio Code JS Debug Extension. The advisories indicate the vulnerabilities were disclosed as part of Microsoft's February 2025 security updates.
Sources
4 references tracked. Mallory keeps watching after this page renders.
CVE-2026-41613 - Security Update Guide - Microsoft - Visual Studio Code Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-24042 - Security Update Guide - Microsoft - Visual Studio Code JS Debug Extension Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-24042 - Security Update Guide - Microsoft - Visual Studio Code JS Debug Extension Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-24039 - Security Update Guide - Microsoft - Visual Studio Code Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Fixes Visual Studio Code Path Traversal Information Disclosure
Microsoft disclosed and patched **CVE-2026-41612**, an information disclosure flaw in **Visual Studio Code** caused by relative path traversal and path traversal issues. The vulnerability is mapped to **`CWE-23`** and **`CWE-22`** and could allow an unauthorized local attacker to disclose file system information, potentially exposing sensitive data on affected systems. Microsoft assigned the bug a **CVSS 3.1 score of 5.5** and said exploitation requires **user interaction**. The company rated the issue as having **high confidentiality impact** with **no integrity or availability impact**, assessed exploitation as **less likely**, and reported that the flaw was **not publicly disclosed** and **not exploited in the wild** at the time of publication. An official security fix is available through Microsoft's update guidance.
Jun 8, 2026
Microsoft disclosed elevation-of-privilege flaws in Visual Studio and Windows SDK
Microsoft published Security Update Guide entries for multiple **elevation-of-privilege** vulnerabilities affecting developer tooling, including **Visual Studio** and the **Windows SDK**. The referenced issues include `CVE-2025-55240` and `CVE-2024-49044` in Visual Studio, as well as `CVE-2025-47962` in the Windows SDK, indicating that software used to build and maintain applications was impacted rather than a single end-user product. The disclosures appeared across both vulnerability and advisory pages in Microsoft's update portal, with `CVE-2024-49044` listed in both formats. While the entries provided no public synopsis in the referenced material, the classification of all three flaws as elevation-of-privilege bugs signals a risk that an attacker could gain higher permissions through affected development environments, making patch review and remediation in enterprise developer workstations a priority.
Jun 23, 2026
Microsoft discloses multiple elevation-of-privilege flaws across Windows and developer tools
Microsoft published security advisories for several **elevation-of-privilege** vulnerabilities affecting Windows components and related software, including **Microsoft PC Manager** (`CVE-2025-21322`), **Windows Installer** (`CVE-2025-21331`, `CVE-2025-21373`), **Visual Studio** (`CVE-2025-49739`), **.NET** (`CVE-2025-55247`), **Windows Health and Optimized Experiences** (`CVE-2025-59241`), and **Host Process for Windows Tasks** (`CVE-2025-60710`). Microsoft also lists an earlier **Windows Storage** privilege-escalation issue, `CVE-2023-36399`, in its security guidance portal. The advisories provide limited public detail beyond product names and vulnerability class, but the grouping indicates broad exposure across both endpoint and developer environments where successful exploitation could allow an attacker to gain higher privileges on a target system. Organizations using affected Microsoft software should review the corresponding Security Update Guide entries, prioritize patch validation for Windows and developer-tooling assets, and assess whether privilege-escalation paths could be chained with other flaws or post-compromise activity.
May 25, 2026