https://feed.craftedsignal.io/tags/race-condition/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 29 Apr 2026 07:50:36 +0000https://feed.craftedsignal.io/briefs/2024-05-filelock-symlink/Wed, 29 Apr 2026 07:50:36 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-05-filelock-symlink/CVE-2025-68146 describes a Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability in the filelock library that could allow for symlink attacks during lock file creation, potentially leading to unauthorized file access or modification.CVE-2025-68146 is a security vulnerability residing within the filelock library, a widely used Python library for file locking. The vulnerability stems from a Time-of-Check Time-of-Use (TOCTOU) race condition that occurs during the creation of lock files. This weakness can be exploited by a local attacker to perform symlink attacks. By carefully manipulating the file system, an attacker can potentially redirect the lock creation process to a file location they control. This is a locally exploitable vulnerability with potential for privilege escalation and unauthorized access, but requires local access to the vulnerable system. The advisory was published on April 29, 2026.

Attack Chain

1. Attacker gains initial local access to the system.
2. Attacker identifies an application utilizing the vulnerable filelock library for file locking operations.
3. Attacker creates a symbolic link (symlink) pointing the expected lock file path to a file location under their control.
4. The vulnerable application attempts to create a lock file at the expected location.
5. Due to the TOCTOU race condition, between the time the application checks for the existence of the lock file and the time it attempts to create it, the symlink is followed.
6. The lock file is created in the attacker-controlled location instead of the intended secure location.
7. The application continues execution, believing it has exclusive access, while the attacker can potentially modify or access the protected resource.

Impact

Successful exploitation of CVE-2025-68146 allows an attacker to manipulate file locking mechanisms, potentially leading to unauthorized modification or access to sensitive files. This can lead to data corruption, privilege escalation, or denial of service. The vulnerability requires local access, limiting the scope of potential attacks, but can be a critical issue in multi-user environments or systems with sensitive data.

Recommendation

• Apply patches or updates provided by the vendor (Microsoft) to address CVE-2025-68146 when they become available.
• Implement file integrity monitoring to detect unauthorized modifications to critical files and directories.
• Deploy the Sigma rule provided below to detect suspicious symlink creation attempts that might indicate exploitation of this TOCTOU vulnerability.

]]>mediumadvisoryTOCTOUsymlinkfilelockCVE-2025-68146race conditionhttps://feed.craftedsignal.io/briefs/2026-04-cve-2026-27911/Wed, 15 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-cve-2026-27911/CVE-2026-27911 is a race condition vulnerability in the Windows User Interface Core that allows a local attacker to elevate privileges due to improper synchronization when accessing shared resources.CVE-2026-27911 is a vulnerability affecting the Windows User Interface Core, specifically related to a race condition. This flaw arises from improper synchronization during concurrent execution involving shared resources. A locally authenticated attacker can exploit this vulnerability to achieve privilege escalation on the targeted system. Microsoft addressed this vulnerability in their April 2026 Patch Tuesday release. Successful exploitation requires the attacker to have valid credentials on the local machine and the ability to execute code. The CVSS v3.1 score is rated as 7.8 (HIGH), indicating a significant risk. Defenders should apply the available patch as soon as possible to prevent potential exploitation.

Attack Chain

1. Attacker gains initial access to the target Windows system with valid local user credentials.
2. Attacker executes a malicious program designed to exploit the race condition in the Windows User Interface Core.
3. The malicious program attempts to concurrently access a shared resource within the Windows User Interface Core.
4. Due to the race condition (CWE-362), the program manipulates the timing of the shared resource access.
5. The improper synchronization allows the malicious process to overwrite critical system data.
6. The overwritten data modifies the permissions or access controls associated with the attacker’s process.
7. The attacker’s process gains elevated privileges, potentially reaching SYSTEM level.
8. The attacker can now perform privileged actions, such as installing software, modifying system settings, or accessing sensitive data.

Impact

Successful exploitation of CVE-2026-27911 enables a local attacker to escalate their privileges on a Windows system. This can lead to complete system compromise, data theft, or the installation of malware. While the specific number of affected systems is not detailed, the vulnerability affects any unpatched Windows system utilizing the vulnerable User Interface Core component. Privilege escalation vulnerabilities are critical, as they allow attackers to bypass security controls and gain unauthorized access to sensitive resources.

Recommendation

• Apply the security update released by Microsoft to patch CVE-2026-27911 immediately. The update is available through the Microsoft Security Response Center (MSRC) at the URL listed in the References section.
• Monitor process creations for unexpected parent-child relationships, specifically processes spawned from the Windows User Interface Core, using the provided Sigma rule Detect Suspicious Process Creation from UI Core.
• Monitor for registry modifications related to privilege escalation using the provided Sigma rule Detect Registry Modifications for Potential Privilege Escalation.
• Monitor network connections originating from unusual processes for unexpected network activity, especially connections to external IPs or domains.

]]>highadvisoryprivilege-escalationrace-conditionwindowshttps://feed.craftedsignal.io/briefs/2026-04-tcp-race-condition/Wed, 15 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tcp-race-condition/CVE-2026-33827 is a race condition vulnerability in Windows TCP/IP that allows an attacker to execute arbitrary code over the network by exploiting improper synchronization during concurrent execution using shared resources.CVE-2026-33827 describes a race condition vulnerability within the Windows TCP/IP stack. This flaw stems from improper synchronization during concurrent execution while accessing shared resources. An attacker could exploit this vulnerability to execute arbitrary code on a vulnerable system by sending specially crafted network packets. The vulnerability exists within the core networking components of the Windows operating system, making it a potentially widespread issue. Successful exploitation could lead to complete system compromise. Microsoft has assigned this a CVSS v3.1 score of 8.1, highlighting the significant risk it poses. Defenders should prioritize patching and consider interim mitigations.

Attack Chain

1. The attacker identifies a vulnerable Windows system exposed to the network.
2. The attacker crafts malicious TCP packets designed to trigger the race condition.
3. The attacker sends a high volume of these packets to the target system.
4. The Windows TCP/IP stack attempts to process the packets concurrently.
5. Due to the race condition, the shared resource is accessed without proper synchronization.
6. This leads to a memory corruption or other exploitable condition.
7. The attacker leverages the corrupted memory to inject and execute arbitrary code.
8. The attacker gains control of the system, potentially installing malware, exfiltrating data, or causing further damage.

Impact

A successful exploit of CVE-2026-33827 could allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable Windows system. This could lead to complete system compromise, data theft, or denial of service. Due to the widespread use of Windows, a large number of systems could be affected. The vulnerability is located in the core networking stack and requires no user interaction, making it highly dangerous.

Recommendation

• Apply the patch released by Microsoft to address CVE-2026-33827 immediately (reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33827).
• Monitor network traffic for suspicious patterns indicative of exploitation attempts, focusing on unusual TCP packet volumes and malformed headers (reference: network_connection log source).
• Deploy the Sigma rule to detect potential exploitation attempts based on unusual process creation activity after network connections (reference: Sigma rule below).

]]>highadvisorycve-2026-33827race-conditionwindowstcp/ipcode-executionhttps://feed.craftedsignal.io/briefs/2026-04-windows-push-notification-privilege-escalation/Wed, 15 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-windows-push-notification-privilege-escalation/CVE-2026-32160 describes a race condition vulnerability in Windows Push Notifications that allows a locally authorized attacker to elevate privileges.CVE-2026-32160 is a vulnerability affecting Windows Push Notifications. Discovered and reported by Microsoft, it stems from a race condition that occurs during concurrent execution using a shared resource without proper synchronization. This flaw enables a local attacker with authorization to elevate their privileges on the affected system. The vulnerability was published on April 14, 2026, and is documented in the NVD database. Exploitation requires local access, but successful exploitation grants significant control over the compromised system, posing a substantial risk to confidentiality, integrity, and availability. Defenders should prioritize patching systems vulnerable to CVE-2026-32160 to mitigate the risk of local privilege escalation.

Attack Chain

1. Attacker gains initial local access to a Windows system with a standard user account.
2. Attacker identifies that the system is running a vulnerable version of Windows Push Notifications.
3. Attacker crafts a malicious application or script designed to exploit the race condition in the Windows Push Notifications service.
4. The malicious application attempts to access a shared resource used by the Windows Push Notifications service.
5. The application triggers concurrent execution scenarios by rapidly accessing or modifying the shared resource.
6. Due to the race condition, the attacker’s application gains unintended write access or control over sensitive data or functions within the Windows Push Notifications service.
7. The attacker leverages the elevated privileges within the Windows Push Notifications service to execute arbitrary code with system-level permissions.
8. Attacker installs malware, modifies system configurations, or exfiltrates sensitive data, achieving complete control over the local system.

Impact

Successful exploitation of CVE-2026-32160 allows a local attacker to escalate their privileges to SYSTEM, granting them complete control over the compromised Windows system. This could lead to data theft, malware installation, system corruption, or use of the compromised system as a pivot point for further attacks within the network. While the specific number of potential victims is unknown, the vulnerability affects a core Windows component, making a wide range of systems potentially vulnerable.

Recommendation

• Apply the patch provided by Microsoft for CVE-2026-32160 to remediate the race condition vulnerability in Windows Push Notifications. Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32160
• Monitor process creation events for unusual processes spawned by the Windows Push Notifications service (using the rule below).
• Implement strict access control policies to limit local user privileges and reduce the attack surface.
• Enable and review Windows event logs for suspicious activity related to privilege escalation attempts.

]]>highadvisoryprivilege-escalationrace-conditionwindowshttps://feed.craftedsignal.io/briefs/2026-04-cve-2026-32158/Wed, 15 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-cve-2026-32158/CVE-2026-32158 is a race condition vulnerability in Windows Push Notifications that allows an authorized attacker to elevate privileges locally due to improper synchronization when using shared resources.CVE-2026-32158 describes a race condition vulnerability affecting Windows Push Notifications. This vulnerability stems from improper synchronization when multiple processes or threads concurrently access shared resources. An authorized attacker, with local access to a vulnerable system, can exploit this condition to achieve privilege escalation. The attacker leverages the timing differences in resource access to manipulate the system into granting elevated privileges. Successful exploitation allows the attacker to perform actions with higher-level permissions, potentially leading to complete system compromise. Defenders should prioritize patching and monitoring for suspicious activity related to Windows Push Notifications.

Attack Chain

1. Attacker gains initial access to a Windows system with a valid user account.
2. Attacker identifies the vulnerable Windows Push Notifications service.
3. Attacker crafts a malicious application or script designed to trigger the race condition.
4. The malicious application initiates concurrent access to the shared resource used by Windows Push Notifications.
5. Due to the race condition, the application manipulates the timing of the resource access, causing a synchronization error.
6. This error allows the attacker to overwrite or modify critical data structures within the Windows Push Notifications service.
7. The modified data structures grant the attacker elevated privileges within the system.
8. The attacker leverages these elevated privileges to execute arbitrary code, install malicious software, or access sensitive data.

Impact

Successful exploitation of CVE-2026-32158 allows a local attacker to elevate their privileges on a Windows system. This can lead to complete system compromise, including data theft, installation of malware, or disruption of services. The vulnerability affects systems using Windows Push Notifications, impacting any organization relying on this feature for application updates or notifications. If exploited widely, this could lead to widespread system compromise across numerous organizations.

Recommendation

• Apply the security update provided by Microsoft to patch CVE-2026-32158 as soon as possible (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32158).
• Enable Sysmon process creation logging to detect potential malicious processes spawned by the exploited service.
• Monitor for unusual activity related to the Windows Push Notifications service, such as unexpected file modifications or registry changes.

]]>highadvisoryprivilege escalationrace conditionwindowshttps://feed.craftedsignal.io/briefs/2026-04-cve-2026-26172-win-push-privesc/Wed, 15 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-cve-2026-26172-win-push-privesc/CVE-2026-26172 is a race condition vulnerability in Windows Push Notifications, allowing a locally authenticated attacker to elevate privileges.CVE-2026-26172 is a vulnerability affecting Windows Push Notifications. This race condition allows an authorized attacker with local access to elevate their privileges on the system. The vulnerability stems from improper synchronization when accessing shared resources, leading to unpredictable behavior and potential privilege escalation if exploited successfully. While the specific patch details and exploitation specifics are not provided in the source document, the high CVSS score indicates a significant risk if the vulnerable component is exposed or targeted. Defenders should prioritize patching this vulnerability when updates are released by Microsoft.

Attack Chain

1. Attacker gains initial local access to a Windows system.
2. Attacker crafts a malicious application that interacts with the Windows Push Notification service.
3. The malicious application triggers concurrent execution using a shared resource within the Push Notification service.
4. Due to the race condition (CWE-362), the application manipulates the shared resource during a critical operation.
5. This manipulation allows the attacker to bypass authorization checks or modify system settings related to user privileges.
6. The attacker escalates privileges to SYSTEM or another high-privilege account.
7. Attacker leverages elevated privileges to install malware, access sensitive data, or perform other unauthorized actions.

Impact

Successful exploitation of CVE-2026-26172 enables local privilege escalation on affected Windows systems. This could allow an attacker to gain complete control of the system, potentially leading to data theft, system compromise, or further propagation of malware within the network. The impact is significant given the widespread use of Windows and the potential for automated exploitation.

Recommendation

• Apply the patch released by Microsoft to address CVE-2026-26172 on all affected Windows systems as soon as possible (reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26172).
• Monitor process creation events for suspicious processes interacting with Windows Push Notification components to detect potential exploitation attempts. Use process creation logging to activate the “Detect Suspicious Push Notification Process” rule.
• Investigate any unusual activity related to privilege escalation attempts, especially those involving Windows Push Notifications.

]]>highadvisorycve-2026-26172privilege-escalationrace-conditionwindowshttps://feed.craftedsignal.io/briefs/2026-04-win-projected-fs-race/Wed, 15 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-win-projected-fs-race/CVE-2026-27927 is a race condition vulnerability in the Windows Projected File System that allows an authorized attacker to escalate privileges locally.CVE-2026-27927 describes a race condition vulnerability within the Windows Projected File System (ProjFS). This vulnerability allows a locally authenticated attacker to elevate their privileges. The vulnerability exists due to improper synchronization when multiple threads or processes access shared resources within ProjFS concurrently. An attacker can exploit this by manipulating the timing of operations to gain unauthorized access or control. The vulnerability was published on April 14, 2026, and affects systems running the Windows Projected File System. Successful exploitation results in privilege escalation, granting the attacker higher-level access to the system. Defenders should prioritize patching this vulnerability.

Attack Chain

1. Attacker gains local access to a Windows system with ProjFS enabled.
2. Attacker crafts a malicious application or script to interact with the Projected File System.
3. The malicious application triggers concurrent access to shared resources within ProjFS.
4. Due to the race condition (CWE-362), the attacker manipulates the timing of file system operations.
5. This timing manipulation leads to improper access control within ProjFS.
6. The attacker gains unauthorized access to sensitive resources managed by ProjFS.
7. The attacker leverages this unauthorized access to execute privileged operations.
8. The attacker successfully elevates their privileges on the system.

Impact

Successful exploitation of CVE-2026-27927 allows a local attacker to elevate their privileges on a vulnerable Windows system. This could allow the attacker to gain complete control over the system, including access to sensitive data, installation of malware, and modification of system settings. The impact is significant because it allows an attacker with limited initial access to compromise the entire system. The number of potential victims is large, as it affects any Windows system using the Projected File System.

Recommendation

• Apply the security update provided by Microsoft to patch CVE-2026-27927 as referenced in the advisory URL.
• Monitor for unusual process creations or file system interactions related to ProjFS using process_creation and file_event logs.
• Deploy the Sigma rule to detect potential exploitation attempts of CVE-2026-27927 based on suspicious process execution.

]]>highadvisoryprivilege-escalationrace-conditionwindowshttps://feed.craftedsignal.io/briefs/2026-04-cve-2026-27926-privilege-escalation/Wed, 15 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-cve-2026-27926-privilege-escalation/CVE-2026-27926 is a race condition vulnerability in the Windows Cloud Files Mini Filter Driver that allows a local attacker to elevate privileges.CVE-2026-27926 describes a vulnerability affecting the Windows Cloud Files Mini Filter Driver. This is a race condition vulnerability where concurrent execution using a shared resource without proper synchronization allows for privilege escalation. A locally authenticated attacker could exploit this vulnerability to gain elevated privileges on the system. The vulnerability resides within the core operating system component responsible for managing cloud file interactions, making it a potentially widespread issue across various Windows deployments that utilize cloud storage integration. Microsoft has assigned a CVSS v3.1 score of 7.0, indicating a high severity. This vulnerability requires local access but does not require user interaction, increasing its potential impact.

Attack Chain

1. The attacker gains local access to the target Windows system.
2. The attacker crafts a malicious application designed to trigger the race condition in the Cloud Files Mini Filter Driver.
3. The malicious application initiates concurrent operations involving shared resources managed by the affected driver.
4. Due to the race condition, the driver incorrectly handles the concurrent operations, leading to an exploitable state.
5. The attacker leverages the exploitable state to overwrite critical system data or execute arbitrary code within the context of the driver.
6. The successful exploitation leads to elevated privileges, allowing the attacker to perform actions normally restricted to administrators or the system.
7. The attacker can then install programs, view, change, or delete data, or create new accounts with full user rights.

Impact

A successful exploit of CVE-2026-27926 enables a local attacker to escalate their privileges on a Windows system. This could lead to complete system compromise, data theft, and the installation of malware. The number of potential victims is extensive, affecting any Windows system utilizing the vulnerable Cloud Files Mini Filter Driver. The primary impact is unauthorized access and control over the compromised system, potentially leading to significant data breaches or operational disruption.

Recommendation

• Apply the security update provided by Microsoft to patch CVE-2026-27926 as soon as possible by referencing the URL in the references section.
• Monitor for suspicious process creation events, especially those originating from unusual locations, that might be indicative of an exploit attempt; use process creation logs and the Sigma rules provided.
• Audit and monitor the execution of programs that interact heavily with the cloud file system (e.g., cloud storage clients, backup solutions) to detect anomalous behavior.
• Implement the provided Sigma rule to detect unexpected modifications to sensitive registry keys, which attackers might use to establish persistence after privilege escalation.

]]>highadvisoryprivilege-escalationrace-conditionwindowshttps://feed.craftedsignal.io/briefs/2026-04-windows-push-notification-race-condition/Tue, 14 Apr 2026 18:17:17 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-windows-push-notification-race-condition/CVE-2026-32159 is a race condition vulnerability in Windows Push Notifications, allowing a local attacker with low privileges to elevate privileges by exploiting concurrent execution using a shared resource with improper synchronization.CVE-2026-32159 is a critical vulnerability affecting Windows Push Notifications, stemming from a race condition during concurrent execution involving shared resources. This flaw allows a locally authenticated attacker with low privileges to escalate their privileges to a higher level on the system. The vulnerability arises because of improper synchronization, leading to unpredictable behavior when multiple threads access the same resource simultaneously. Successful exploitation grants the attacker elevated control over the compromised system. The vulnerability was reported on April 14, 2026, and is documented by Microsoft and the National Vulnerability Database (NVD).

Attack Chain

1. Attacker gains initial access to the Windows system with low-privileged credentials.
2. Attacker crafts a malicious application designed to interact with Windows Push Notifications.
3. The malicious application initiates multiple concurrent requests to a shared resource within the Windows Push Notifications service.
4. Due to the race condition (CWE-362), the concurrent requests cause improper synchronization when accessing the shared resource.
5. The attacker manipulates the timing of the requests to exploit the race condition.
6. The successful exploitation overwrites critical data structures with attacker-controlled values.
7. The attacker escalates their privileges to gain SYSTEM-level access.
8. With elevated privileges, the attacker can perform unauthorized actions such as installing software, modifying system settings, or accessing sensitive data.

Impact

A successful exploit of CVE-2026-32159 allows a local attacker to elevate their privileges from a low-privileged account to SYSTEM, granting them full control over the affected Windows system. This could lead to complete system compromise, data theft, or deployment of malware. While the vulnerability requires local access, it can be combined with other vulnerabilities or social engineering techniques to gain initial access. The vulnerability has a CVSS v3.1 score of 7.8, indicating a high severity.

Recommendation

• Apply the security update provided by Microsoft to patch CVE-2026-32159 on all affected Windows systems (reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32159).
• Monitor process creation events for suspicious processes interacting with Windows Push Notifications services to identify potential exploit attempts.
• Deploy the Sigma rule DetectSuspiciousPushNotificationProcesses to detect potentially malicious processes interacting with the Windows Push Notification service.

]]>highadvisoryprivilege-escalationrace-conditionwindowshttps://feed.craftedsignal.io/briefs/2026-04-brokering-race-condition/Tue, 14 Apr 2026 18:17:14 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-brokering-race-condition/CVE-2026-32091 is a race condition vulnerability in the Microsoft Brokering File System, allowing an unauthenticated local attacker to escalate privileges.CVE-2026-32091 is a critical vulnerability affecting the Microsoft Brokering File System. The vulnerability is due to a race condition that occurs during concurrent execution while accessing a shared resource without proper synchronization. A local, unauthenticated attacker can exploit this flaw to elevate their privileges on the system. This vulnerability, if successfully exploited, could allow an attacker to perform actions with elevated permissions, potentially leading to full system compromise. Defenders should prioritize patching systems affected by this vulnerability.

Attack Chain

1. The attacker gains local access to a system running the vulnerable Microsoft Brokering File System.
2. The attacker crafts a malicious program designed to exploit the race condition.
3. The malicious program initiates concurrent requests to access a shared resource within the Brokering File System.
4. Due to the lack of proper synchronization, the concurrent requests create a race condition where the order of operations is unpredictable.
5. The attacker manipulates the timing of the requests to trigger the race condition, leading to an exploitable state.
6. By exploiting the race condition, the attacker gains unauthorized access to system resources.
7. The attacker leverages the unauthorized access to escalate privileges to a higher level.
8. The attacker now has elevated privileges and can perform malicious actions on the system.

Impact

Successful exploitation of CVE-2026-32091 allows a local attacker to escalate privileges on a vulnerable system. This can lead to unauthorized access to sensitive data, modification of system settings, or the installation of malware. Given the high CVSS score (8.4), systems are at significant risk. The impact is limited to local privilege escalation, however, if combined with other vulnerabilities it could lead to a more severe compromise.

Recommendation

• Apply the security update provided by Microsoft to patch CVE-2026-32091 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32091).
• Monitor for suspicious process creation events that could indicate exploitation attempts. Deploy the Sigma rule “Detect Suspicious Brokering File System Privilege Escalation” to your SIEM.

]]>highadvisoryprivilege-escalationrace-conditionwindowshttps://feed.craftedsignal.io/briefs/2026-04-windows-shell-race-condition/Tue, 14 Apr 2026 18:17:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-windows-shell-race-condition/CVE-2026-27918 is a race condition vulnerability in Windows Shell, allowing a local attacker to elevate privileges due to improper synchronization when accessing shared resources.CVE-2026-27918 describes a race condition vulnerability found within the Windows Shell. This vulnerability stems from the improper synchronization of concurrent processes accessing shared resources. A successful exploit allows an attacker with local access and valid credentials to elevate their privileges on the system. The vulnerability has a CVSS v3.1 base score of 7.8, indicating a high severity. Defenders should prioritize patching affected systems and consider implementing detections to identify potential exploitation attempts. The specific components of Windows Shell affected are not detailed in the original advisory but are noted as present in the Windows Shell attack surface.

Attack Chain

1. An attacker gains local access to a Windows system.
2. The attacker identifies a vulnerable function within Windows Shell susceptible to race conditions related to shared resource access.
3. The attacker crafts a malicious application designed to trigger concurrent execution of the vulnerable code path.
4. The malicious application rapidly attempts to access and modify the shared resource.
5. Due to the lack of proper synchronization, the attacker manipulates the timing of the concurrent processes.
6. The race condition leads to an unintended state where the attacker gains elevated privileges.
7. The attacker leverages the elevated privileges to execute arbitrary code or access sensitive data.
8. The attacker persists on the system or moves laterally within the network, depending on their objectives.

Impact

Successful exploitation of CVE-2026-27918 leads to local privilege escalation on a Windows system. An attacker can leverage this vulnerability to gain SYSTEM-level privileges, allowing them to take complete control of the affected machine. This could lead to data theft, malware installation, or further attacks against the network. The vulnerability is rated as high severity due to its potential for significant impact and the relative ease of exploitation for an attacker with local access.

Recommendation

• Apply the patch provided by Microsoft for CVE-2026-27918 to remediate the vulnerability, as referenced in the vulnerability details.
• Monitor process creation events for unusual or unexpected processes spawned by Windows Shell processes to identify potential exploitation attempts.
• Deploy the Sigma rules provided to detect potential exploitation attempts targeting this race condition.
• Review and harden access controls on sensitive shared resources to minimize the impact of potential race condition vulnerabilities.

]]>highadvisoryrace-conditionprivilege-escalationwindowshttps://feed.craftedsignal.io/briefs/2026-04-lakeside-systrack-lpe/Wed, 01 Apr 2026 16:23:50 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-lakeside-systrack-lpe/Lakeside SysTrack Agent 11 before 11.2.1.28 is vulnerable to a race condition that allows for local privilege escalation to SYSTEM, as tracked by CVE-2026-35099.Lakeside SysTrack Agent, a system monitoring tool, contains a local privilege escalation vulnerability. Specifically, versions of Agent 11 prior to 11.2.1.28 are susceptible to a race condition (CWE-362) that can be exploited by a local attacker to gain SYSTEM privileges. This vulnerability, identified as CVE-2026-35099, allows an attacker with limited privileges to execute arbitrary code with the highest level of permissions on the system. Successful exploitation could lead to complete system compromise, data theft, and other malicious activities. Organizations using vulnerable versions of the SysTrack Agent should upgrade to the patched version (11.2.1.28) as soon as possible.

Attack Chain

1. The attacker gains initial local access to the target system, possibly through phishing or social engineering.
2. The attacker identifies the presence of a vulnerable Lakeside SysTrack Agent version (prior to 11.2.1.28).
3. The attacker crafts a malicious executable or script designed to trigger the race condition within the SysTrack Agent.
4. The attacker executes the malicious code, which attempts to manipulate shared resources concurrently with the SysTrack Agent.
5. The race condition is successfully triggered, allowing the attacker to overwrite critical system files or inject malicious code into the SysTrack Agent’s process.
6. Due to the race condition, the SysTrack Agent executes the attacker’s injected code with SYSTEM privileges.
7. The attacker leverages SYSTEM privileges to install a backdoor, create new administrative accounts, or perform other malicious activities.
8. The attacker achieves persistent SYSTEM-level access, enabling them to control the compromised system remotely.

Impact

Successful exploitation of CVE-2026-35099 allows an attacker to escalate privileges from a normal user to SYSTEM on a vulnerable Windows system. This gives the attacker complete control over the system, potentially leading to data breaches, malware installation, or denial of service. Given the nature of system monitoring agents, a successful compromise can provide deep insights into the organization’s environment.

Recommendation

• Upgrade Lakeside SysTrack Agent to version 11.2.1.28 or later to remediate CVE-2026-35099, as mentioned in the Lakeside documentation (https://documentation.lakesidesoftware.com/en/Content/Release%20Notes/Agent/11.2.1.28%20Hotfix%20Agent%20Release%20Notes.htm?tocpath=Release%20Notes%7CAgent%7C_____8).
• Implement the provided Sigma rule to detect potential exploitation attempts by monitoring for suspicious process creation events associated with SysTrack Agent.
• Monitor for unexpected file modifications or registry changes performed by the SysTrack Agent process, which could indicate successful exploitation of the race condition.

]]>highadvisorylakesidesystrackprivilege-escalationrace-conditioncve-2026-35099windowshttps://feed.craftedsignal.io/briefs/2026-04-netscaler-vulns/Wed, 01 Apr 2026 08:44:01 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-netscaler-vulns/Unauthenticated attackers can exploit CVE-2026-3055 (out-of-bounds read) to exfiltrate sensitive data from NetScaler ADC and Gateway, while CVE-2026-4368 (race condition) enables user session hijacking, necessitating immediate patching and enhanced monitoring.Citrix NetScaler ADC and Gateway are affected by two critical vulnerabilities, CVE-2026-3055 and CVE-2026-4368. CVE-2026-3055 is an out-of-bounds read vulnerability that allows an unauthenticated attacker to read arbitrary memory content. This could lead to the exfiltration of sensitive data like credentials and session tokens. CVE-2026-4368 is a race condition vulnerability that can lead to user session mix-up, potentially allowing one user to access another user’s session. CISA has added CVE-2026-3055 to its Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild as of March 30, 2026. The affected versions include NetScaler ADC and NetScaler Gateway 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and NetScaler ADC FIPS and NDcPP before 13.1-37.262. Defenders should prioritize patching and closely monitor affected systems.

Attack Chain

1. An unauthenticated attacker sends a specially crafted request to a vulnerable NetScaler ADC or Gateway configured as a SAML IDP (for CVE-2026-3055).
2. Due to insufficient input validation, the appliance attempts to read memory beyond the allocated buffer.
3. The out-of-bounds read allows the attacker to access sensitive information stored in memory, such as session tokens, credentials, or other confidential data.
4. The attacker exfiltrates the gleaned sensitive information via network communication.
5. For CVE-2026-4368, multiple users attempt to authenticate to a NetScaler ADC or Gateway configured as a Gateway or AAA virtual server.
6. A race condition occurs during session creation or management.
7. One user’s session is incorrectly associated with another user’s account.
8. The attacker gains unauthorized access to another user’s session, potentially performing actions on their behalf or accessing sensitive data.

Impact

Successful exploitation of CVE-2026-3055 allows attackers to steal sensitive information, potentially leading to account compromise, data breaches, and further unauthorized access to internal resources. CVE-2026-4368 can lead to unauthorized access to user accounts, potentially exposing sensitive data or enabling malicious activities under the guise of a legitimate user. Given that CISA has confirmed active exploitation of CVE-2026-3055, organizations using affected NetScaler products are at immediate risk. The impact spans across all sectors utilizing these products for application delivery and secure access.

Recommendation

• Immediately patch NetScaler ADC and Gateway to the latest versions: 14.1-66.59 or later, 13.1-62.23 or later, and 13.1-37.262 or later for FIPS and NDcPP to remediate CVE-2026-3055 and CVE-2026-4368 as described in the Citrix advisory (https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300).
• Deploy the Sigma rule Detect Netscaler CVE-2026-3055 GET Request to identify potential exploitation attempts of CVE-2026-3055 based on suspicious HTTP GET requests targeting the SAML IDP.
• Enable and review NetScaler audit logs for unusual authentication patterns or session activity that could indicate exploitation of CVE-2026-4368.
• Monitor web server logs for HTTP requests with abnormally long URIs, which may be indicative of attempts to trigger the out-of-bounds read in CVE-2026-3055.
• Apply the Sigma rule Detect Netscaler CVE-2026-4368 POST Request to identify potential exploitation attempts of CVE-2026-4368 based on suspicious HTTP POST requests targeting the Gateway or AAA virtual server

]]>criticalthreatnetscalercve-2026-3055cve-2026-4368out-of-bounds readrace conditionmemory corruptionsession hijackinghttps://feed.craftedsignal.io/briefs/2024-01-regpwnbof/Thu, 19 Mar 2026 05:23:44 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-regpwnbof/RegPwnBOF exploits a registry symlink race condition in the Windows Accessibility ATConfig mechanism, enabling a normal user to write arbitrary values to protected HKLM registry keys for persistence and privilege escalation.RegPwnBOF is an exploit leveraging a registry symlink race condition within the Windows Accessibility ATConfig mechanism. This vulnerability allows an unprivileged user to manipulate protected areas of the registry, specifically HKLM, which are typically reserved for administrators or system processes. By exploiting this race condition, an attacker can write arbitrary values to these protected keys. The initial report surfaced around March 2026, highlighting the potential for unauthorized persistence and privilege escalation. This circumvents standard Windows security controls, posing a significant risk to system integrity and confidentiality. The exploit’s accessibility to non-administrator users makes it particularly dangerous in environments where least-privilege principles are not strictly enforced.

Attack Chain

1. An unprivileged user initiates the ATConfig mechanism within the Windows Accessibility features.
2. The exploit creates a registry symlink pointing to a protected HKLM key.
3. A race condition is triggered during the ATConfig process, allowing the exploit to bypass security checks.
4. The attacker leverages this race condition to overwrite the target HKLM registry key with arbitrary data.
5. The modified registry key is used to establish persistence, for example, by creating a Run key.
6. Upon system restart or user login, the malicious payload associated with the modified Run key is executed.
7. The attacker gains elevated privileges by executing code within the context of a privileged process.

Impact

Successful exploitation of RegPwnBOF allows an attacker to gain persistent access to a compromised system and escalate their privileges to administrator level. This can lead to complete system compromise, data theft, and the installation of malware. The impact is magnified by the fact that this exploit can be triggered by a normal user, bypassing traditional access controls. The number of potential victims is considerable, as the vulnerability exists within the Windows Accessibility features, which are enabled by default on many systems.

Recommendation

• Monitor registry modifications targeting HKLM keys, especially those related to Accessibility features, using a process_creation log source and the provided Sigma rules.
• Implement strict access controls and least-privilege principles to limit the ability of unprivileged users to interact with system-level configurations.
• Investigate any unusual registry symlink creation events using file_event logs, particularly those involving the ATConfig mechanism, to identify potential RegPwnBOF exploitation attempts.

]]>highadvisoryregistrysymlinkrace-conditionaccessibilityprivilege-escalationpersistencewindowshttps://feed.craftedsignal.io/briefs/2024-01-openclaw-symlink/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-openclaw-symlink/A time-of-check/time-of-use (TOCTOU) race condition in OpenClaw versions 2026.4.21 and earlier allows a symlink swap to redirect filesystem writes outside the intended sandbox mount root, potentially leading to arbitrary file modification.OpenClaw, a tool available via npm, contains a vulnerability in versions 2026.4.21 and earlier that could allow for a sandbox escape. This vulnerability stems from a time-of-check/time-of-use (TOCTOU) race condition during filesystem writes within the OpenShell sandbox environment. An attacker could potentially exploit this vulnerability by manipulating symlinks to redirect write operations outside of the intended local mount root. This can occur because OpenClaw does not properly validate the target of write operations against the mount root, leaving it susceptible to symlink-based redirection attacks. Successful exploitation could allow an attacker to modify sensitive files outside the sandbox. The vulnerability is fixed in version 2026.4.22.

Attack Chain

1. An attacker crafts a malicious OpenClaw package or leverages an existing package.
2. The package contains a symlink within the intended sandbox directory.
3. The OpenClaw application attempts to write to a file via the symlink.
4. Between the time OpenClaw checks the symlink and the time it performs the write operation, the attacker replaces the symlink with a new symlink pointing outside the intended sandbox root.
5. OpenClaw, due to the TOCTOU race condition, writes to the file location pointed to by the new symlink, which resides outside the sandbox.
6. This allows the attacker to overwrite or modify arbitrary files on the system.
7. The attacker leverages this capability to gain elevated privileges or compromise sensitive data.

Impact

Successful exploitation of this vulnerability could allow an attacker to bypass the intended security restrictions of the OpenClaw sandbox. An attacker could potentially overwrite system files, inject malicious code into existing applications, or steal sensitive data. While the exact number of affected installations is unknown, any system running a vulnerable version of OpenClaw is susceptible to this attack.

Recommendation

• Upgrade to OpenClaw version 2026.4.22 or later to patch the vulnerability (reference: Affected Packages / Versions).
• Monitor file system events for unexpected modifications outside of the expected OpenClaw sandbox directory. Deploy the Sigma rule Detect OpenClaw Sandbox Escape via Symlink to detect potential exploitation attempts.
• Implement stricter file system access controls to limit the potential impact of successful exploitation (reference: Impact).

]]>highadvisorysandbox-escapesymlinkrace-conditionnpm