Scan free
Pending AnalysisCVE-2026-27929

CVE-2026-27929: Privilege Escalation in Windows LUAFV

Platform

windows

Component

windows-luafv-filter-driver

Fixed in

10.0.28000.1836

View on NVD
Save

CVE-2026-27929 describes a time-of-check time-of-use (TOCTOU) race condition vulnerability within the Windows LUAFV Filter Driver. This flaw allows an authenticated attacker to escalate their privileges on the affected system. The vulnerability impacts Windows versions 10.0.14393.0 through 10.0.28000.1836, and a patch is available in version 10.0.28000.1836.

Impact and Attack Scenarios

The TOCTOU race condition allows an attacker who has already gained some level of access to the system to exploit a timing vulnerability. By manipulating the state of the LUAFV Filter Driver between the time a check is performed and the time the result is used, an attacker can bypass security checks and gain higher privileges. This could allow them to execute arbitrary code with system privileges, install malware, steal sensitive data, or compromise the entire system. The potential impact is significant, as successful exploitation could lead to complete system compromise.

Exploitation Context

CVE-2026-27929 was published on April 14, 2026. Its severity is rated HIGH (CVSS 7.0). Currently, there are no publicly known exploits or active campaigns targeting this vulnerability. It is not listed on KEV or EPSS, indicating a low to medium probability of exploitation in the near term. Monitor security advisories and threat intelligence feeds for any updates.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureLow

EPSS

0.04% (12% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C7.0HIGHAttack VectorLocalHow the attacker reaches the targetAttack ComplexityHighConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Local — attacker needs a local shell or interactive session on the system.
Attack Complexity
High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentwindows-luafv-filter-driver
VendorMicrosoft
Minimum version10.0.14393.0
Maximum version10.0.28000.1836
Fixed in10.0.28000.1836

Weakness Classification (CWE)

CWE-367

Timeline

  1. Published
  2. Modified
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-27929 is to upgrade to Windows version 10.0.28000.1836 or later, which includes the fix for this vulnerability. If immediate patching is not possible, consider implementing stricter access controls and monitoring for suspicious activity related to the LUAFV Filter Driver. While a direct workaround is not available, ensuring the principle of least privilege is enforced can limit the potential damage if the vulnerability is exploited. After upgrading, confirm the fix by attempting to reproduce the vulnerability scenario and verifying that the privilege escalation fails.

How to fix

Aplica las actualizaciones de seguridad proporcionadas por Microsoft para Windows 10. Estas actualizaciones corrigen una vulnerabilidad de elevación de privilegios en el controlador de virtualización de filtro LUAFV, mitigando el riesgo de que un atacante autorizado pueda obtener privilegios elevados localmente.

Frequently asked questions

What is CVE-2026-27929 — Privilege Escalation in Windows LUAFV?

CVE-2026-27929 is a race condition vulnerability in the Windows LUAFV Filter Driver that allows an authenticated attacker to escalate privileges locally. It impacts Windows versions 10.0.14393.0–10.0.28000.1836 and has a CVSS score of 7.0 (HIGH).

Am I affected by CVE-2026-27929 in Windows LUAFV?

You are potentially affected if you are running Windows 10 versions 10.0.14393.0 through 10.0.28000.1836. Check your system version using the 'ver' command in the command prompt.

How do I fix CVE-2026-27929 in Windows LUAFV?

Upgrade to Windows version 10.0.28000.1836 or later to remediate the vulnerability. This update includes the necessary fix for the TOCTOU race condition.

Is CVE-2026-27929 being actively exploited?

Currently, there are no publicly known exploits or active campaigns targeting CVE-2026-27929. However, it's crucial to apply the patch promptly to prevent potential future exploitation.

Where can I find the official Microsoft advisory for CVE-2026-27929?

Refer to the official Microsoft Security Update Guide for CVE-2026-27929. The advisory will provide detailed information about the vulnerability and the available patch. (Check Microsoft's security portal for the specific advisory link when it becomes available).

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...